PT-2011-05: Cross-Site Scripting in Koha Library Software Vulnerable softwareKoha Library Software version 3.2.9 and earlier or 3.4.1 and earlierApplication link: http://koha-community.org/Severity levelSeverity level: Medium Impact: Cross-Site Scripting Attack vector: Remote CVSS v2: Base Score: 4.3 Temporal Score: 3.4 Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N/E:P/RL:O/RC:C)CVE: N/ASoftware DescriptionKoha Library Software – library automation system.Vulnerability DescriptionPositive Research Center detects XSS in Koha Library Software.Application insufficiently verifies incoming data from users in the following scripts:opac-downloadcart.pl opac-addbybiblionumber.pl opac-downloadshelf.pl opac-review.pl opac-sendshelf.pl opac-serial-issues.plAn attacker can use the vulnerability to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.How to fixUpdate your software up to the latest versionAdvisory status31.05.2011 - Vendor is notified 15.06.2011 - Vendor gets vulnerability details 19.06.2011 - Vendor releases fixed version and details 06.07.2011 - Public disclosureCreditsThe vulnerability was detected by Yuri Goltsev, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2011-05Reports on the vulnerabilities previously discovered by Positive Technologies Research Center:http://en.securitylab.ru/lab/ http://www.ptsecurity.com/advisory1.aspx