PT-2011-05: Cross-Site Scripting in Koha Library Software

Vulnerable software

Koha Library Software
version 3.2.9 and earlier or 3.4.1 and earlier

Application link:

Severity level

Severity level: Medium
Impact: Cross-Site Scripting
Attack vector: Remote

CVSS v2:
Base Score: 4.3
Temporal Score: 3.4
Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N/E:P/RL:O/RC:C)


Software Description

Koha Library Software – library automation system.

Vulnerability Description

Positive Research Center detects XSS in Koha Library Software.

Application insufficiently verifies incoming data from users in the following scripts:

An attacker can use the vulnerability to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.

How to fix

Update your software up to the latest version

Advisory status

31.05.2011 - Vendor is notified
15.06.2011 - Vendor gets vulnerability details
19.06.2011 - Vendor releases fixed version and details
06.07.2011 - Public disclosure


The vulnerability was detected by Yuri Goltsev, Positive Research Center (Positive Technologies Company)


Reports on the vulnerabilities previously discovered by Positive Technologies Research Center: