CVE-2015-4632
published 2018-10-18CVE-2015-4632: Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote…
PriorityP268high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
51.83%
98.8th percentile
Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the template_path parameter to (1) svc/virtualshelves/search or (2) svc/members/search.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| koha | koha | >= 3.14.00 < 3.14.16 | 3.14.16 |
| koha | koha | >= 3.16.00 < 3.16.12 | 3.16.12 |
| koha | koha | >= 3.18.00 < 3.18.08 | 3.18.08 |
| koha | koha | >= 3.20.00 < 3.20.01 | 3.20.01 |
Detection & IOCsextracted from sources · hover to see the quote
url/cgi-bin/koha/svc/virtualshelves/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd↗
url/cgi-bin/koha/svc/members/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd↗
- →Detect directory traversal attempts against Koha by monitoring HTTP GET requests to /cgi-bin/koha/svc/virtualshelves/search or /cgi-bin/koha/svc/members/search containing the encoded traversal sequence ..%2f in the template_path parameter. ↗
- →A successful exploitation response will contain /etc/passwd content; match HTTP 200 responses from the vulnerable endpoints with body matching root:.*:0:0: to confirm exploitation. ↗
- →Use Shodan query cpe:"cpe:2.3:a:koha:koha" to identify exposed Koha instances for proactive scanning. ↗
- ·The vulnerability is exploitable without authentication (PR:N, UI:N), meaning no session or credentials are required to trigger the path traversal via the template_path parameter. ↗
- ·Affected versions span multiple release branches: 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1; detections should account for all these branches. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7f22-j94q-hwmh: Multiple directory traversal vulnerabilities in Koha 3
ghsa_unreviewed·2022-05-14
CVE-2015-4632 [HIGH] CWE-22 GHSA-7f22-j94q-hwmh: Multiple directory traversal vulnerabilities in Koha 3
Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the template_path parameter to (1) svc/virtualshelves/search or (2) svc/members/search.
VMware
VMware vSphere Data Protection product update addresses a certificate validation vulnerability.
vendor_vmware·2015-01-29·CVSS 4.3
CVE-2014-4632 [MEDIUM] VMware vSphere Data Protection product update addresses a certificate validation vulnerability.
VMSA-2015-0002: VMware vSphere Data Protection product update addresses a certificate validation vulnerability.
a. VMware vSphere Data Protection certificate validation vulnerability VMware vSphere Data Protection (VDP) does not fully validate SSL certificates coming from vCenter Server. This issue may allow a Man-in-the-Middle attack that enables the attacker to perform unauthorized backup and restore operations. VMware would like to thank Thorsten Tüllmann of the Steinbuch Centre for Computing, KIT, Germany for reporting this issue to VMware and the EMC Product Security Response Center for working with us on the issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-4632 to this issue. Column 4 of the following table lists the action
No detection rules found.
Exploit-DB
Koha 3.20.1 - Directory Traversal
exploitdb·2015-06-26·CVSS 7.5
CVE-2015-4632 [HIGH] Koha 3.20.1 - Directory Traversal
Koha 3.20.1 - Directory Traversal
---
# Exploit Title: Koha Open Source ILS - Path Traversal in STAFF client
# Google Dork:
# Date: 25/06/2015
# Exploit Author: Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos - Combinatorial Security Testing Group of SBA Research ([email protected])
# Vendor Homepage: koha-community.org
# Software Link: https://github.com/Koha-Community/Koha
# Version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12
# Tested on: Debian Linux
# CVE : CVE-2015-4632
### CVE-2015-4632 ###
#### Titel: ####
Directory traversal
#### Type of vulnerability: ####
File Path Traversal
##### Exploitation vector:
Injecting into the "template_path" parmeter in /cgi-bin/koha/svc/members/search and /cgi-bin/koha/svc/members/search
##### Attack outcome:
Rea
Nuclei
Koha 3.20.1 - Directory Traversal
nuclei·CVSS 7.5
CVE-2015-4632 [HIGH] Koha 3.20.1 - Directory Traversal
Koha 3.20.1 - Directory Traversal
Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the template_path parameter to (1) svc/virtualshelves/search or (2) svc/members/search.
Template:
id: CVE-2015-4632
info:
name: Koha 3.20.1 - Directory Traversal
author: daffainfo
severity: high
description: Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the template_path parameter to (1) svc/virtualshelves/search or (2) svc/members/search.
impact: |
An attacker can read or modify sensitive files, potentially leading to unauthorized ac
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408https://koha-community.org/koha-3-14-16-released/https://koha-community.org/security-release-koha-3-16-12/https://koha-community.org/security-release-koha-3-18-8/https://koha-community.org/security-release-koha-3-20-1/https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.htmlhttps://seclists.org/fulldisclosure/2015/Jun/80https://www.exploit-db.com/exploits/37388/https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408https://koha-community.org/koha-3-14-16-released/https://koha-community.org/security-release-koha-3-16-12/https://koha-community.org/security-release-koha-3-18-8/https://koha-community.org/security-release-koha-3-20-1/https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.htmlhttps://seclists.org/fulldisclosure/2015/Jun/80https://www.exploit-db.com/exploits/37388/https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/
2018-10-18
Published