← Voltar para CVEs
CVE-2024-24337
HIGH8.0
Descricao
CSV Injection vulnerability in '/members/moremember.pl' and '/admin/aqbudgets.pl' endpoints in Koha Library Management System version 23.05.05 and earlier allows attackers to to inject DDE commands into csv exports via the 'Budget' and 'Patrons Member' components.
Detalhes CVE
Pontuacao CVSS v3.18.0
SeveridadeHIGH
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosLOW
Interacao do usuarioREQUIRED
Publicado2/12/2024
Ultima modificacao9/29/2025
Fontenvd
Avistamentos honeypot0
Produtos afetados
koha:koha
Fraquezas (CWE)
CWE-1236CWE-1236
Referencias
https://nitipoom-jar.github.io/CVE-2024-24337/(cve@mitre.org)
https://nitipoom-jar.github.io/CVE-2024-24337/(af854a3a-2127-422b-91ae-364da2661108)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.