https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593
Bug ID: 41593
Summary: Authenticated SQL Injection in Koha staff interface
allows full database compromise
Initiative type: ---
Sponsorship Seeking sponsor
status:
Product: Koha
Version: Main
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5 - low
Component: Architecture, internals, and plumbing
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
An authenticated SQL Injection vulnerability was identified in the Koha staff
interface.
A low-privileged staff user can inject arbitrary SQL queries via a vulnerable
request parameter processed by the GetDistinctValues functionality. The
injection occurs due to unsafe handling of user-supplied input when
constructing SQL queries without sufficient sanitization or strict validation.
Successful exploitation allows an authenticated attacker to fully compromise
the backend database.
/cgi-bin/koha/suggestion/suggestion.pl
displayby vulnerebl parameter
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
