{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-15T22:04:41.558","vulnerabilities":[{"cve":{"id":"CVE-2018-1000669","sourceIdentifier":"cve@mitre.org","published":"2018-09-06T19:29:00.503","lastModified":"2024-11-21T03:40:22.230","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Request Forgery (CSRF) vulnerability in /cgi-bin/koha/members/paycollect.pl Parameters affected: borrowernumber, amount, amountoutstanding, paid that can result in Attackers can mark payments as paid for certain users on behalf of Administrators. This attack appear to be exploitable via The victim must be socially engineered into clicking a link, usually via email. This vulnerability appears to have been fixed in 17.11."},{"lang":"es","value":"KOHA Library System en versiones 16.11.x (hasta la 16.11.13) y versiones 17.05.x (hasta la 17.05.05) contiene una vulnerabilidad Cross Site Request Forgery (CSRF) en /cgi-bin/koha/members/paycollect.pl. Los parámetros afectados son: borrowernumber, amount, amountoutstanding y paid. Esto puede resultar en que los atacantes puedan marcar pagos como \"pagados\" para ciertos usuarios en nombre de los administradores. El ataque parece ser explotable si la víctima es engañada mediante ingeniería social para que haga clic en un enlace, normalmente por email. La vulnerabilidad parece haber sido solucionada en la versión 17.11."}],"metrics":{"cvssMetricV30":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","baseScore":6.8,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-352"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:koha:koha:*:*:*:*:*:*:*:*","versionStartIncluding":"16.11.0","versionEndIncluding":"16.11.13","matchCriteriaId":"3248F696-8686-4093-94DE-2D30EBE76239"},{"vulnerable":true,"criteria":"cpe:2.3:a:koha:koha:*:*:*:*:*:*:*:*","versionStartIncluding":"17.05.0","versionEndIncluding":"17.05.05","matchCriteriaId":"20CF4C18-0421-40BA-BAFD-712040BE657A"}]}]}],"references":[{"url":"https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19117","source":"cve@mitre.org","tags":["Exploit","Issue Tracking","Patch","Vendor Advisory"]},{"url":"https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19117","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Issue Tracking","Patch","Vendor Advisory"]}]}}]}