Notre sélection d'alertes et avis SSI.
Sources : US Cert, Cert EU, Cert FR, Cnil, VulDB.

mercredi 17 octobre 2018

koha up to 3.14.15/3.16.11/3.18.9/3.20.0 opac-search.pl addshelf cross site scripting

A vulnerability, which was classified as problematic, was found in koha up to 3.14.15/3.16.11/3.18.9/3.20.0. This affects an unknown function of the file opac-search.pl. The manipulation of the argument addshelf as part of a Parameter leads to a cross site scripting vulnerability. CWE is classifying the issue as CWE-80. This is going to have an impact on integrity. An attacker might be able to inject arbitrary html and script code into the web site. This would alter the appearance and would make it possible to initiate further attacks against site visitors.

The weakness was released 10/18/2018 as EDB-ID 37389 as uncorroborated exploit (Exploit-DB). It is possible to read the advisory at exploit-db.com. This vulnerability is uniquely identified as CVE-2015-4631 since 06/16/2015. It is possible to initiate the attack remotely. Technical details and a public exploit are known.

After immediately, there has been an exploit disclosed. The exploit is shared for download at exploit-db.com.

Upgrading to version 3.14.16, 3.16.12, 3.18.10 or 3.20.1 eliminates this vulnerability.

Entries connected to this vulnerability are available at 125750.

CPE

CVSSv3

VulDB Meta Base Score: 4.3
VulDB Meta Temp Score: 4.0

VulDB Base Score: 4.3
VulDB Temp Score: 4.0
VulDB Vector: 🔒
VulDB Reliability: 🔍

CVSSv2

VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍

Exploiting

Class: Cross site scripting (CWE-80)
Local: No
Remote: Yes

Availability: Yes
Access: Public
Download: 🔒

Price Prediction: 🔍
Current Price Estimation: 🔒

Threat Intelligence

Threat: 🔍
Adversaries: 🔍
Geopolitics: 🔍
Economy: 🔍
Predictions: 🔍
Actions: 🔍

Countermeasures

Recommended: Upgrade
Status: Official fix
0-Day Time: 🔒
Exploit Delay Time: 🔍

Upgrade: koha 3.14.16/3.16.12/3.18.10/3.20.1

Timeline

06/16/2015 CVE assigned
10/18/2018 Advisory disclosed
10/18/2018 Exploit disclosed
10/18/2018 EDB entry disclosed
10/19/2018 VulDB entry created
10/19/2018 VulDB last update

Sources

Advisory: EDB-ID 37389
Status: Uncorroborated
Confirmation: 🔒

CVE: CVE-2015-4631 (🔒)
See also: 🔒

Entry

Created: 10/19/2018
Complete: 🔍

Lien vers l'article source

Auteur: VulDB

Catégories: VulDBNombre de vues: 331

x

Événements SSI