https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593 Bug ID: 41593 Summary: Authenticated SQL Injection in Koha staff interface allows full database compromise Initiative type: --- Sponsorship Seeking sponsor status: Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: koha-bugs@lists.koha-community.org Reporter: shukrulloh70@gmail.com QA Contact: testopia@bugs.koha-community.org An authenticated SQL Injection vulnerability was identified in the Koha staff interface. A low-privileged staff user can inject arbitrary SQL queries via a vulnerable request parameter processed by the GetDistinctValues functionality. The injection occurs due to unsafe handling of user-supplied input when constructing SQL queries without sufficient sanitization or strict validation. Successful exploitation allows an authenticated attacker to fully compromise the backend database. /cgi-bin/koha/suggestion/suggestion.pl displayby vulnerebl parameter -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.