Vulnerability Description
Multiple cross-site scripting (XSS) vulnerabilities in the Staff client in Koha before 3.16.6 and 3.18.x before 3.18.2 allow remote attackers to inject arbitrary web script or HTML via the sort_by parameter to the (1) opac parameter in opac-search.pl or (2) intranet parameter in catalogue/search.pl.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Koha | Koha | <= 3.16.05 |
Related Weaknesses (CWE)
References
- http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13425
- http://koha-community.org/koha-3-16-6-release/PatchVendor Advisory
- http://koha-community.org/koha-3-18-2-release/PatchVendor Advisory
- http://secunia.com/advisories/61187
- http://www.securityfocus.com/bid/71803Exploit
- http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13425
- http://koha-community.org/koha-3-16-6-release/PatchVendor Advisory
- http://koha-community.org/koha-3-18-2-release/PatchVendor Advisory
- http://secunia.com/advisories/61187
- http://www.securityfocus.com/bid/71803Exploit
FAQ
What is CVE-2014-9446?
CVE-2014-9446 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Multiple cross-site scripting (XSS) vulnerabilities in the Staff client in Koha before 3.16.6 and 3.18.x before 3.18.2 allow remote attackers to inject arbitrary web script or HTML via the sort_by par...
How severe is CVE-2014-9446?
CVE-2014-9446 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-9446?
Check the references section above for vendor advisories and patch information. Affected products include: Koha Koha.