CVE-2015-4633 — CRITICAL (9.8)

Q: How severe is CVE-2015-4633?

CVE-2015-4633 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2015-4633?

Check the references section above for vendor advisories and patch information. Affected products include: Koha Koha.

Vulnerability Description

Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow (1) remote attackers to execute arbitrary SQL commands via the number parameter to opac-tags_subject.pl in the OPAC interface or (2) remote authenticated users to execute arbitrary SQL commands via the Filter or (3) Criteria parameter to reports/borrowers_out.pl in the Staff interface.

CVSS Score

9.8

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Koha	Koha	>= 3.14.00, < 3.14.16

Related Weaknesses (CWE)

CWE-89

References

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412ExploitIssue Tracking
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426ExploitIssue TrackingThird Party Advisory
https://koha-community.org/koha-3-14-16-released/Release Notes
https://koha-community.org/security-release-koha-3-16-12/Release Notes
https://koha-community.org/security-release-koha-3-18-8/Release Notes
https://koha-community.org/security-release-koha-3-20-1/Release Notes
https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-ExploitThird Party AdvisoryVDB Entry
https://seclists.org/fulldisclosure/2015/Jun/80ExploitMailing ListThird Party Advisory
https://www.exploit-db.com/exploits/37387/ExploitThird Party AdvisoryVDB Entry
https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-severaExploitRelease NotesThird Party Advisory
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412ExploitIssue Tracking
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426ExploitIssue TrackingThird Party Advisory
https://koha-community.org/koha-3-14-16-released/Release Notes
https://koha-community.org/security-release-koha-3-16-12/Release Notes
https://koha-community.org/security-release-koha-3-18-8/Release Notes

FAQ

What is CVE-2015-4633?

CVE-2015-4633 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow (1) remote attackers to execute arbitrary SQL command...

How severe is CVE-2015-4633?

CVE-2015-4633 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2015-4633?

Check the references section above for vendor advisories and patch information. Affected products include: Koha Koha.