CVE-2024-36057

Name of the Vulnerable Software and Affected Versions Koha Library versions prior to 23.05.10

Description Koha Library versions before 23.05.10 do not properly sanitize filenames provided by users before unzipping them, which can lead to remote code execution. The upload-cover-image.pl script contains a command injection issue in the line 'qx/unzip $filename -d $dirname/;' due to the direct inclusion of attacker-controlled input within a system command. This can be triggered by uploading a malicious .zip file and then clicking Process Images.

Recommendations Update to version 23.05.10 or later.