[Koha] CSRF tokens are not getting validated
koha at ourlib.in
koha at ourlib.in
Wed Jan 29 01:33:29 NZDT 2025
Hello,
sorry to bother you again. Security team has raised following concern,
please guide me in fixing the same:
===============
In Koha version 24.05, CSRF tokens are not getting validated during
insert or update operations (e.g., creating a new patron). Even when the
CSRF token is removed or invalid, Koha still processes the request and
creates the new patron.
Koha Version: 24.05
Steps to Reproduce:
Navigate to the patron creation form in Koha.
Remove the CSRF token from the input and meta tags.
Submit the form to create a new patron.
The new patron is created successfully, despite the missing or
invalid CSRF token.
Koha v24.05 does not validate CSRF tokens correctly, potentially
exposing the system to CSRF attacks.
=================
Regards,
Vikram
More information about the Koha
mailing list