PT-2011-05: Cross-Site Scripting in Koha Library Software
Koha Library Software
version 3.2.9 and earlier or 3.4.1 and earlier
Severity level: Medium
Impact: Cross-Site Scripting
Attack vector: Remote
Base Score: 4.3
Temporal Score: 3.4
Koha Library Software – library automation system.
Positive Research Center detects XSS in Koha Library Software.
Application insufficiently verifies incoming data from users in the following scripts:
An attacker can use the vulnerability to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
How to fix
Update your software up to the latest version
31.05.2011 - Vendor is notified
15.06.2011 - Vendor gets vulnerability details
19.06.2011 - Vendor releases fixed version and details
06.07.2011 - Public disclosure
The vulnerability was detected by Yuri Goltsev, Positive Research Center (Positive Technologies Company)
Reports on the vulnerabilities previously discovered by Positive Technologies Research Center: