The Koha library system’s Send Basket feature, prior to version 23.05.10, allows a time‑based SQL injection through the POST parameter bib_list sent to /cgi-bin/koha/opac-sendbasket.pl. The code fails to sanitize this input, enabling an attacker to craft queries that return arbitrary database data based on response timing. This flaw can expose catalog contents, user data, or other sensitive information, thereby compromising confidentiality. The underlying weakness is an input validation error that permits SQL query manipulation, identified as an SQL injection vulnerability.

Koha Library, the open‑source integrated library system widely used by schools and public libraries. All releases before 23.05.10 are affected. The commit log and release notes for 23.05.10 and later indicate that the bib_list input is now properly sanitized, thereby fixing the issue.

Based on the description, it is inferred that the attack vector is a web‑based SQL injection that does not require authentication, as the Send Basket endpoint accepts unauthenticated POST requests from any user who can access the catalog. The vulnerability’s CVSS score is not present in the data, but the exploit is feasible for anyone able to reach the endpoint. The EPSS score is not provided and the vulnerability is not cataloged by CISA, suggesting that while exploitation is possible, active public attacker activity is not currently documented. Nonetheless, because the flaw exposes arbitrary database content and can be triggered by simple HTTP requests, the potential impact is high and the risk remains significant.