{ "CVE_data_meta" : { "ASSIGNER" : "kurt@seifried.org", "DATE_ASSIGNED" : "2018-09-03T16:07:16.980429", "DATE_REQUESTED" : "2018-08-24T17:52:47", "ID" : "CVE-2018-1000670", "REQUESTER" : "jiakyooi95@hotmail.com", "STATE" : "PUBLIC" }, "affects" : { "vendor" : { "vendor_data" : [ { "product" : { "product_data" : [ { "product_name" : "KOHA Library System", "version" : { "version_data" : [ { "version_value" : "16.11.x (up until 16.11.13)" }, { "version_value" : "17.05.x (up until 17.05.05)" } ] } } ] }, "vendor_name" : "KOHA Library System" } ] } }, "data_format" : "MITRE", "data_type" : "CVE", "data_version" : "4.0", "description" : { "description_data" : [ { "lang" : "eng", "value" : "KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Scripting (XSS) vulnerability in Multiple fields on multiple pages including /cgi-bin/koha/acqui/supplier.pl?op=enter , /cgi-bin/koha/circ/circulation.pl?borrowernumber=[number] , /cgi-bin/koha/serials/subscription-add.pl that can result in Privilege escalation by taking control of higher privileged users browser sessions. This attack appear to be exploitable via Victims must be socially engineered to visit a vulnerable webpage containing malicious payload. This vulnerability appears to have been fixed in 17.11." } ] }, "problemtype" : { "problemtype_data" : [ { "description" : [ { "lang" : "eng", "value" : "Cross Site Scripting (XSS)" } ] } ] }, "references" : { "reference_data" : [ { "name" : "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19086", "refsource" : "CONFIRM", "url" : "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19086" } ] } }