[Koha] Potential XSS attack vector in opac

Bob Ewart bob-ewart at bobsown.com
Wed Dec 10 11:42:24 NZDT 2014

When our site was scanned for potential vulnerabilities, they came up 
with the following links typed into Firefox.'"><script>prompt('Happy_Holidays')</script>&limit=123


Both of these scripts are executed and cause a pop up

This looks similar to bug 11341 which was fixed in 3.14.  We are running 
3.18 on Xubuntu 14.04 LTS installed from the PPA.  I noticed that in the 
patch at 
there were a number of '|html %' entries which appear as '|url %' in 3.18.

Is this a regression on bug 11341?

Bob Ewart

More information about the Koha mailing list