CVE-2024-24337

EUVD-2024-21759
CSV Injection vulnerability in '/members/moremember.pl' and '/admin/aqbudgets.pl' endpoints in Koha Library Management System version 23.05.05 and earlier allows attackers to to inject DDE commands into csv exports via the 'Budget' and 'Patrons Member' components.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CISA-ADPADP
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 86%
Affected Products (NVD)
VendorProductVersion
kohakoha
𝑥
≤ 23.05.05
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://nitipoom-jar.github.io/CVE-2024-24337/
https://nitipoom-jaroonchaipipat.github.io/security-research-portal/2024-24337
https://nitipoom-jar.github.io/CVE-2024-24337/