CVE-2015-4633
published 2018-10-18CVE-2015-4633: Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow (1) remote…
PriorityP268critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.02%
92.4th percentile
Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow (1) remote attackers to execute arbitrary SQL commands via the number parameter to opac-tags_subject.pl in the OPAC interface or (2) remote authenticated users to execute arbitrary SQL commands via the Filter or (3) Criteria parameter to reports/borrowers_out.pl in the Staff interface.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| koha | koha | >= 3.14.00 < 3.14.16 | 3.14.16 |
| koha | koha | >= 3.16.00 < 3.16.12 | 3.16.12 |
| koha | koha | >= 3.18.00 < 3.18.08 | 3.18.08 |
| koha | koha | >= 3.20.00 < 3.20.01 | 3.20.01 |
| koha_community | koha | < 22.11.38 | 22.11.38 |
| koha_community | koha | 23.05.00 – 23.11.15 | — |
| koha_community | koha | >= 24.05.00 < 24.11.16 | 24.11.16 |
| koha_community | koha | >= 25.05.00 < 25.05.11 | 25.05.11 |
| koha_community | koha | >= 25.11.00 < 25.11.05 | 25.11.05 |
| koha_community | koha | >= 26.05.00 < 26.05.01 | 26.05.01 |
Detection & IOCsextracted from sources · hover to see the quote
commandnumber=1 PROCEDURE ANALYSE(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(4000000,MD5(0x4b754a4b))))),1)↗
- →Monitor GET requests to opac-tags_subject.pl where the 'number' parameter contains SQL keywords or time-based blind injection patterns such as PROCEDURE ANALYSE, BENCHMARK, or EXTRACTVALUE. ↗
- →Monitor POST requests to reports/borrowers_out.pl for SQL injection payloads in the 'Filter' or 'Criteria' parameters, specifically ELT() boolean-based injection patterns. ↗
- →The OPAC-side injection in opac-tags_subject.pl requires no authentication; alert on any anomalous or non-numeric value in the 'number' GET parameter from unauthenticated sessions. ↗
- →Detect time-based blind SQLi exploitation attempts by monitoring for unusually high response latency on requests to opac-tags_subject.pl, consistent with BENCHMARK() delays. ↗
- →The Staff interface borrowers_out.pl exploitation uses raw TCP (nc) with crafted HTTP POST; monitor for raw TCP connections to the Koha staff port carrying POST requests with SQL-laden Criteria parameters. ↗
- ·The time-based blind injection technique requires sqlmap's --time-sec tuning; network latency can cause false negatives or errors during exploitation, as evidenced by repeated time-delay increases during the PoC. ↗
- ·Filesystem read/write access via SQL injection is only possible if the MySQL server is misconfigured (e.g., FILE privilege granted or secure_file_priv not set). ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
SQL Injection in reports/catalogue_out.pl in Koha Community Koha through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x be
ghsa_unreviewed·2026-06-13·CVSS 9.8
CVE-2026-6428 [CRITICAL] CWE-89 SQL Injection in reports/catalogue_out.pl in Koha Community Koha through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x be
SQL Injection in reports/catalogue_out.pl in Koha Community Koha through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x before 26.11.00 allows an authenticated staff user with the Reports module flag to read arbitrary data from the Koha application database via the Filter URL parameter when the Criteria parameter matches /branchcode/.
The vulnerable sink in sub calculate concatenates the unmodified Filter request parameter directly into a LIKE clause of the auxiliary $strsth2 statement and executes it via DBI without bound parameters:
my $f = @$filters[0];
$f =~ s/\*/%/g;
$strsth2 .= " AND $column LIKE '$f' ";
This enables error-based SQL injection (e.g., via EXTRACTVALUE) and full read access to sensitive
GHSA
GHSA-xv5q-r8xx-69mw: Multiple SQL injection vulnerabilities in Koha 3
ghsa_unreviewed·2022-05-14
CVE-2015-4633 [CRITICAL] CWE-89 GHSA-xv5q-r8xx-69mw: Multiple SQL injection vulnerabilities in Koha 3
Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow (1) remote attackers to execute arbitrary SQL commands via the number parameter to opac-tags_subject.pl in the OPAC interface or (2) remote authenticated users to execute arbitrary SQL commands via the Filter or (3) Criteria parameter to reports/borrowers_out.pl in the Staff interface.
No detection rules found.
No writeups or analysis indexed.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426https://koha-community.org/koha-3-14-16-released/https://koha-community.org/security-release-koha-3-16-12/https://koha-community.org/security-release-koha-3-18-8/https://koha-community.org/security-release-koha-3-20-1/https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.htmlhttps://seclists.org/fulldisclosure/2015/Jun/80https://www.exploit-db.com/exploits/37387/https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426https://koha-community.org/koha-3-14-16-released/https://koha-community.org/security-release-koha-3-16-12/https://koha-community.org/security-release-koha-3-18-8/https://koha-community.org/security-release-koha-3-20-1/https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.htmlhttps://seclists.org/fulldisclosure/2015/Jun/80https://www.exploit-db.com/exploits/37387/https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/
2018-10-18
Published