{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-24336", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-06T17:53:11.087Z", "dateReserved": "2024-01-25T00:00:00", "datePublished": "2024-03-19T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-03-19T20:29:58.269773"}, "descriptions": [{"lang": "en", "value": "A multiple Cross-site scripting (XSS) vulnerability in the '/members/moremember.pl', and \u2018/members/members-home.pl\u2019 endpoints within Koha Library Management System version 23.05.05 and earlier allows malicious staff users to carry out CSRF attacks, including unauthorized changes to usernames and passwords of users visiting the affected page, via the 'Circulation note' and \u2018Patrons Restriction\u2019 components."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://nitipoom-jar.github.io/CVE-2024-24336/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:19:52.467Z"}, "title": "CVE Program Container", "references": [{"url": "https://nitipoom-jar.github.io/CVE-2024-24336/", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-352", "lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "affected": [{"vendor": "koha-community", "product": "koha_library_software", "cpes": ["cpe:2.3:a:koha-community:koha_library_software:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "23.05.05", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-08-06T17:50:36.182853Z", "id": "CVE-2024-24336", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-06T17:53:11.087Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://nitipoom-jar.github.io/CVE-2024-24336/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:19:52.467Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-24336", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-06T17:50:36.182853Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:koha-community:koha_library_software:*:*:*:*:*:*:*:*"], "vendor": "koha-community", "product": "koha_library_software", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "23.05.05"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-06T17:52:28.452Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://nitipoom-jar.github.io/CVE-2024-24336/"}], "descriptions": [{"lang": "en", "value": "A multiple Cross-site scripting (XSS) vulnerability in the '/members/moremember.pl', and \u2018/members/members-home.pl\u2019 endpoints within Koha Library Management System version 23.05.05 and earlier allows malicious staff users to carry out CSRF attacks, including unauthorized changes to usernames and passwords of users visiting the affected page, via the 'Circulation note' and \u2018Patrons Restriction\u2019 components."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-03-19T20:29:58.269773"}}}, "cveMetadata": {"cveId": "CVE-2024-24336", "state": "PUBLISHED", "dateUpdated": "2024-08-06T17:53:11.087Z", "dateReserved": "2024-01-25T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-03-19T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "A multiple Cross-site scripting (XSS) vulnerability in the '/members/moremember.pl', and \u2018/members/members-home.pl\u2019 endpoints within Koha Library Management System version 23.05.05 and earlier allows malicious staff users to carry out CSRF attacks, including unauthorized changes to usernames and passwords of users visiting the affected page, via the 'Circulation note' and \u2018Patrons Restriction\u2019 components."}, {"lang": "es", "value": "Una vulnerabilidad de Cross-Site Scripting (XSS) m\u00faltiple en los endpoints '/members/moremember.pl' y '/members/members-home.pl' dentro de Koha Library Management System versi\u00f3n 23.05.05 y anteriores permite que usuarios malintencionados del personal lleven realizar ataques CSRF, incluidos cambios no autorizados en los nombres de usuario y contrase\u00f1as de los usuarios que visitan la p\u00e1gina afectada, a trav\u00e9s de los componentes 'Nota de circulaci\u00f3n' y 'Restricci\u00f3n de usuarios'."}], "id": "CVE-2024-24336", "lastModified": "2024-11-21T08:59:12.433", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-03-19T21:15:07.667", "references": [{"source": "cve@mitre.org", "url": "https://nitipoom-jar.github.io/CVE-2024-24336/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://nitipoom-jar.github.io/CVE-2024-24336/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}