cbcvebase.
CVE-2015-4632
published 2018-10-18

CVE-2015-4632: Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote…

PriorityP268high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
51.83%
98.8th percentile
Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the template_path parameter to (1) svc/virtualshelves/search or (2) svc/members/search.

Affected

4 ranges
VendorProductVersion rangeFixed in
kohakoha>= 3.14.00 < 3.14.163.14.16
kohakoha>= 3.16.00 < 3.16.123.16.12
kohakoha>= 3.18.00 < 3.18.083.18.08
kohakoha>= 3.20.00 < 3.20.013.20.01

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/koha/svc/virtualshelves/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
url/cgi-bin/koha/svc/members/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
path/cgi-bin/koha/svc/virtualshelves/search
path/cgi-bin/koha/svc/members/search
  • Detect directory traversal attempts against Koha by monitoring HTTP GET requests to /cgi-bin/koha/svc/virtualshelves/search or /cgi-bin/koha/svc/members/search containing the encoded traversal sequence ..%2f in the template_path parameter.
  • A successful exploitation response will contain /etc/passwd content; match HTTP 200 responses from the vulnerable endpoints with body matching root:.*:0:0: to confirm exploitation.
  • Use Shodan query cpe:"cpe:2.3:a:koha:koha" to identify exposed Koha instances for proactive scanning.
  • ·The vulnerability is exploitable without authentication (PR:N, UI:N), meaning no session or credentials are required to trigger the path traversal via the template_path parameter.
  • ·Affected versions span multiple release branches: 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1; detections should account for all these branches.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.