漏洞标题
N/A
漏洞描述信息
在Koca 3.14.x 之前于3.14.16, 3.16.x 之前于3.16.12, 3.18.x 之前于3.18.08, 以及3.20.x 之前于3.20.1 版本的Koca中多次存在跨站脚本(XSS)漏洞,允许远程攻击者通过(1)标签参数到opac-search.pl;(2)值参数到authorities/authorities-home.pl;(3)延迟参数到acqui/lateorders.pl;(4) authtypecode或(5)标签字段到admin/auth_subfields_structure.pl;(6)标签字段参数到admin/marc_subfields_structure.pl;(7)目录限制参数到catalogue/search.pl;(8)书店滤波器,(9)电话号滤波器,(10)EAN滤波器,(11)ISSN滤波器,(12)出版商滤波器,或(13)标题滤波器到serials/serials-search.pl;或(14)作者,(15)集标题,(16)版权日期,(17)ISBN,(18)管理日期来自,(19)管理日期到,(20)出版商代码,(21)建议日期来自,(22)建议日期到参数到suggestion/suggestion.pl;或(23)方向,(24)显示或(25)添加 shelf参数到opac-shelves.pl。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
Multiple cross-site scripting (XSS) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to inject arbitrary web script or HTML via the (1) tag parameter to opac-search.pl; the (2) value parameter to authorities/authorities-home.pl; the (3) delay parameter to acqui/lateorders.pl; the (4) authtypecode or (5) tagfield to admin/auth_subfields_structure.pl; the (6) tagfield parameter to admin/marc_subfields_structure.pl; the (7) limit parameter to catalogue/search.pl; the (8) bookseller_filter, (9) callnumber_filter, (10) EAN_filter, (11) ISSN_filter, (12) publisher_filter, or (13) title_filter parameter to serials/serials-search.pl; or the (14) author, (15) collectiontitle, (16) copyrightdate, (17) isbn, (18) manageddate_from, (19) manageddate_to, (20) publishercode, (21) suggesteddate_from, or (22) suggesteddate_to parameter to suggestion/suggestion.pl; or the (23) direction, (24) display or (25) addshelf parameter to opac-shelves.pl.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Koha 跨站脚本漏洞
漏洞描述信息
Koha是Koha社区开发的一套开源的图书馆自动化系统(ILS)。该系统提供分类、检索、成员和顾客管理等功能。 Koha中存在多个跨站脚本漏洞。远程攻击者可借助多个参数利用该漏洞注入任意的Web脚本或HTML。(多个参数包括:‘tag’、‘value’、‘delay’、‘authtypecode’、‘tagfield’、‘limit’、‘bookseller_filter’、‘callnumber_filter’、‘EAN_filter’、‘ISSN_filter’、‘publisher_filter’、
CVSS信息
N/A
漏洞类别
跨站脚本