CVE-2024-28740
📋 TL;DR
A cross-site scripting (XSS) vulnerability in Koha Integrated Library System allows remote attackers to inject malicious scripts via the additional-contents.pl component. This can lead to arbitrary code execution on affected systems. All Koha ILS installations running version 23.05 or earlier are vulnerable.
💻 Affected Systems
- Koha Integrated Library System
📦 What is this software?
Koha by Koha
⚠️ Risk & Real-World Impact
Worst Case
Attackers achieve remote code execution, compromising the entire Koha server, stealing sensitive library data, and potentially pivoting to other systems.
Likely Case
Attackers steal session cookies, perform actions as authenticated users, deface the library interface, or redirect users to malicious sites.
If Mitigated
With proper input validation and output encoding, the XSS payloads are neutralized, preventing script execution.
🎯 Exploit Status
Detailed exploitation techniques are publicly documented, showing how XSS can be escalated to remote code execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 23.05.01 or later
Vendor Advisory: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35600
Restart Required: No
Instructions:
1. Update Koha to version 23.05.01 or later. 2. Apply the security patch for the additional-contents.pl component. 3. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Input Validation Filter
allImplement strict input validation and output encoding for the additional-contents.pl component to sanitize user inputs.
# Modify additional-contents.pl to escape user inputs using HTML::Entities or similar
Web Application Firewall (WAF)
allDeploy a WAF with XSS protection rules to block malicious payloads targeting the vulnerable endpoint.
# Configure WAF rules to detect and block XSS patterns in requests to additional-contents.pl
🧯 If You Can't Patch
- Restrict access to the additional-contents.pl component using network ACLs or authentication requirements.
- Implement Content Security Policy (CSP) headers to mitigate XSS impact by restricting script execution sources.
🔍 How to Verify
Check if Vulnerable:
Test the additional-contents.pl endpoint with XSS payloads; if scripts execute, the system is vulnerable.Check Version:
koha-versionVerify Fix Applied:
After patching, retest with XSS payloads to ensure scripts are no longer executed and inputs are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to additional-contents.pl containing script tags or JavaScript code
- Multiple failed login attempts followed by XSS payloads
Network Indicators:
- HTTP requests with suspicious parameters like <script> or javascript: in URLs targeting additional-contents.pl
SIEM Query:
source="web_logs" AND uri="/cgi-bin/koha/additional-contents.pl" AND (request LIKE "%<script>%" OR request LIKE "%javascript:%")