CVE-2018-1000669

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2018-1000669
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1000669.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-1000669
Published
2018-09-06T19:29:00.503Z
Modified
2026-04-10T04:03:37.694152Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Request Forgery (CSRF) vulnerability in /cgi-bin/koha/members/paycollect.pl Parameters affected: borrowernumber, amount, amountoutstanding, paid that can result in Attackers can mark payments as paid for certain users on behalf of Administrators. This attack appear to be exploitable via The victim must be socially engineered into clicking a link, usually via email. This vulnerability appears to have been fixed in 17.11.

References

Affected packages

Git / github.com/koha-community/koha

Affected ranges

Type
GIT
Repo
https://github.com/koha-community/koha
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
9fa91c75a967fdadff9d28791449bdae63c54d2a
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
17f207f2e98c3e962001864013046243b47deeb6
Database specific 
{
    "versions": [
        {
            "introduced": "16.11.0"
        },
        {
            "last_affected": "16.11.13"
        },
        {
            "introduced": "17.05.0"
        },
        {
            "last_affected": "17.05.05"
        }
    ]
}

Affected versions

Other
R_1-2-2RC4
R_1-3-0
R_1-3-1
R_1-3-2
R_1-3-3
R_1-9-0
R_1-9-1
R_1-9-2
R_1-9-3
R_2-0-0RC1
R_2-0-0pre1
R_2-0-0pre2
R_2-0-0pre3
R_2-0-0pre4
R_2-0-0pre5
R_2-1
R_2-4
v16.*
v16.05.00
v16.05.00-beta
v16.11.00
v16.11.01
v16.11.02
v16.11.03
v16.11.04
v16.11.05
v16.11.06
v16.11.07
v16.11.08
v16.11.09
v16.11.10
v16.11.11
v16.11.11-1
v16.11.12
v16.11.13
v17.*
v17.05.00
v17.05.01
v17.05.02
v17.05.03
v17.05.04
v17.05.05
v3.*
v3.00.00
v3.00.00-alpha
v3.00.00-beta
v3.00.00-beta2
v3.00.00-stableRC1
v3.02.00-alpha
v3.02.00-alpha2
v3.02.00-beta
v3.04.00
v3.08.00
v3.12.00-alpha
v3.12.00-alpha2
v3.12.00-beta1
v3.14.00-alpha1
v3.14.00-alpha2
v3.14.00-beta
v3.16.00
v3.16.00-beta
v3.16.00-rc
v3.18.00
v3.18.00-beta
v3.20.00
v3.20.00-beta
v3.22.00
v3.22.00-beta

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1000669.json"