CVE-2024-28739

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-28739

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-28739.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-28739

Published

2024-08-06T19:15:56.287Z

Modified

2026-04-10T05:11:32.223047Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

An issue in Koha ILS 23.05 and before allows a remote attacker to execute arbitrary code via a crafted script to the format parameter.

References

https://febin0x4e4a.wordpress.com/2024/03/07/xss-to-one-click-rce-in-koha-ils/

Affected packages

Git / github.com/koha-community/koha

Affected ranges

Type

GIT

Repo

https://github.com/koha-community/koha

Events

Introduced

Last affected

dd76c6bcdc4432d7f1ff900873b09116dc258f44

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "23.05.00"
        }
    ]
}

Affected versions

Other

R_1-2-2RC4

R_1-3-0

R_1-3-1

R_1-3-2

R_1-3-3

R_1-9-0

R_1-9-1

R_1-9-2

R_1-9-3

R_2-0-0RC1

R_2-0-0pre1

R_2-0-0pre2

R_2-0-0pre3

R_2-0-0pre4

R_2-0-0pre5

R_2-1

R_2-4

v16.*

v16.05.00

v16.05.00-beta

v16.11.00

v17.*

v17.05.00

v17.11.00

v18.*

v18.05.00

v18.05.00-rc1

v18.11.00

v19.*

v19.05.00

v19.11.00

v20.*

v20.05.00

v20.11.00

v21.*

v21.05.00

v21.11.00

v22.*

v22.05.00

v22.11.00

v23.*

v23.05.00

v3.*

v3.00.00

v3.00.00-alpha

v3.00.00-beta

v3.00.00-beta2

v3.00.00-stableRC1

v3.02.00-alpha

v3.02.00-alpha2

v3.02.00-beta

v3.04.00

v3.08.00

v3.12.00-alpha

v3.12.00-alpha2

v3.12.00-beta1

v3.14.00-alpha1

v3.14.00-alpha2

v3.14.00-beta

v3.16.00

v3.16.00-beta

v3.16.00-rc

v3.18.00

v3.18.00-beta

v3.20.00

v3.20.00-beta

v3.22.00

v3.22.00-beta

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-28739.json"