A multiple Cross-site scripting (XSS) vulnerability in the '/members/moremember.pl', and ‘/members/members-home.pl’ endpoints within Koha Library Management System version 23.05.05 and earlier allows malicious staff users to carry out CSRF attacks, including unauthorized changes to usernames and passwords of users visiting the affected page, via the 'Circulation note' and ‘Patrons Restriction’ components.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Mon, 29 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Koha-community
Koha-community koha Library Software
CPEs cpe:2.3:a:koha-community:koha_library_software:*:*:*:*:*:*:*:*
Vendors & Products Koha-community
Koha-community koha Library Software
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 29 Sep 2025 14:45:00 +0000


Tue, 06 Aug 2024 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2025-09-29T14:28:04.099Z

Reserved: 2024-01-25T00:00:00.000Z

Link: CVE-2024-24336

cve-icon Vulnrichment

Updated: 2024-08-01T23:19:52.467Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-03-19T21:15:07.667

Modified: 2025-09-29T15:16:05.743

Link: CVE-2024-24336

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-07-12T22:23:25Z