Notre sélection d'alertes et avis SSI.
Sources : US Cert, Cert EU, Cert FR, Cnil, VulDB.

mercredi 17 octobre 2018

koha up to 3.14.15/3.16.11/3.18.9/3.20.0 addshelf cross site scripting

A vulnerability, which was classified as problematic, was found in koha up to 3.14.15/3.16.11/3.18.9/3.20.0. This affects an unknown function of the file The manipulation of the argument addshelf as part of a Parameter leads to a cross site scripting vulnerability. CWE is classifying the issue as CWE-80. This is going to have an impact on integrity. An attacker might be able to inject arbitrary html and script code into the web site. This would alter the appearance and would make it possible to initiate further attacks against site visitors.

The weakness was released 10/18/2018 as EDB-ID 37389 as uncorroborated exploit (Exploit-DB). It is possible to read the advisory at This vulnerability is uniquely identified as CVE-2015-4631 since 06/16/2015. It is possible to initiate the attack remotely. Technical details and a public exploit are known.

After immediately, there has been an exploit disclosed. The exploit is shared for download at

Upgrading to version 3.14.16, 3.16.12, 3.18.10 or 3.20.1 eliminates this vulnerability.

Entries connected to this vulnerability are available at 125750.



VulDB Meta Base Score: 4.3
VulDB Meta Temp Score: 4.0

VulDB Base Score: 4.3
VulDB Temp Score: 4.0
VulDB Vector: 🔒
VulDB Reliability: 🔍


VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍


Class: Cross site scripting (CWE-80)
Local: No
Remote: Yes

Availability: Yes
Access: Public
Download: 🔒

Price Prediction: 🔍
Current Price Estimation: 🔒

Threat Intelligence

Threat: 🔍
Adversaries: 🔍
Geopolitics: 🔍
Economy: 🔍
Predictions: 🔍
Actions: 🔍


Recommended: Upgrade
Status: Official fix
0-Day Time: 🔒
Exploit Delay Time: 🔍

Upgrade: koha 3.14.16/3.16.12/3.18.10/3.20.1


06/16/2015 CVE assigned
10/18/2018 Advisory disclosed
10/18/2018 Exploit disclosed
10/18/2018 EDB entry disclosed
10/19/2018 VulDB entry created
10/19/2018 VulDB last update


Advisory: EDB-ID 37389
Status: Uncorroborated
Confirmation: 🔒

CVE: CVE-2015-4631 (🔒)
See also: 🔒


Created: 10/19/2018
Complete: 🔍

Lien vers l'article source

Auteur: VulDB

Catégories: VulDBNombre de vues: 331


Événements SSI