CVE-2024-24337

Name of the Vulnerable Software and Affected Versions Koha Library Management System versions 23.05.05 and earlier

Description The issue is related to a lack of neutralization of elements in a CSV file, affecting the components members/moremember.pl and admin/aqbudgets.pl. This allows a remote attacker to execute arbitrary DDE commands by sending a specially crafted CSV file. The vulnerability can be exploited via the 'Budget' and 'Patrons Member' components.

Recommendations For Koha Library Management System versions 23.05.05 and earlier, consider disabling the /members/moremember.pl and /admin/aqbudgets.pl endpoints until a patch is available. Restrict access to the 'Budget' and 'Patrons Member' components to minimize the risk of exploitation. Avoid using these components to export CSV files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.