CVE-2024-24336

Published: Mar 19, 2024Modified: Jun 17, 2026Deferred

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

A multiple Cross-site scripting (XSS) vulnerability in the '/members/moremember.pl', and ‘/members/members-home.pl’ endpoints within Koha Library Management System version 23.05.05 and earlier allows malicious staff users to carry out CSRF attacks, including unauthorized changes to usernames and passwords of users visiting the affected page, via the 'Circulation note' and ‘Patrons Restriction’ components.

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (3)

https://nitipoom-jar.github.io/CVE-2024-24336/

Source: cve@mitre.org

https://nitipoom-jaroonchaipipat.github.io/security-research-portal/2024-24336

Source: cve@mitre.org

https://nitipoom-jar.github.io/CVE-2024-24336/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.