{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-15T01:24:47.573","vulnerabilities":[{"cve":{"id":"CVE-2018-1000670","sourceIdentifier":"cve@mitre.org","published":"2018-09-06T19:29:00.627","lastModified":"2024-11-21T03:40:22.397","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Scripting (XSS) vulnerability in Multiple fields on multiple pages including /cgi-bin/koha/acqui/supplier.pl?op=enter , /cgi-bin/koha/circ/circulation.pl?borrowernumber=[number] , /cgi-bin/koha/serials/subscription-add.pl that can result in Privilege escalation by taking control of higher privileged users browser sessions. This attack appear to be exploitable via Victims must be socially engineered to visit a vulnerable webpage containing malicious payload. This vulnerability appears to have been fixed in 17.11."},{"lang":"es","value":"KOHA Library System en versiones 16.11.x (hasta la 16.11.13) y versiones 17.05.x (hasta la 17.05.05) contiene una vulnerabilidad Cross-Site Scripting (XSS) en múltiples campos de múltiples páginas, incluyendo /cgi-bin/koha/acqui/supplier.pl?op=enter, /cgi-bin/koha/circ/circulation.pl?borrowernumber=[number] y /cgi-bin/koha/serials/subscription-add.pl. Esto puede resultar en un escalado de privilegios obteniendo el control de las sesiones de navegación de usuarios con mayores privilegios. El ataque parece ser explotable si la víctima es engañada mediante ingeniería social para que visite una página web vulnerable que contiene una carga útil maliciosa. La vulnerabilidad parece haber sido solucionada en la versión 17.11."}],"metrics":{"cvssMetricV30":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","baseScore":4.3,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:koha:koha:*:*:*:*:*:*:*:*","versionStartIncluding":"16.11.0","versionEndIncluding":"16.11.13","matchCriteriaId":"3248F696-8686-4093-94DE-2D30EBE76239"},{"vulnerable":true,"criteria":"cpe:2.3:a:koha:koha:*:*:*:*:*:*:*:*","versionStartIncluding":"17.05.0","versionEndIncluding":"17.05.05","matchCriteriaId":"20CF4C18-0421-40BA-BAFD-712040BE657A"}]}]}],"references":[{"url":"https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19086","source":"cve@mitre.org","tags":["Exploit","Issue Tracking","Vendor Advisory"]},{"url":"https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19086","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Issue Tracking","Vendor Advisory"]}]}}]}