[Bug 41593] New: Authenticated SQL Injection in Koha staff interface allows full database compromise
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593 Bug ID: 41593 Summary: Authenticated SQL Injection in Koha staff interface allows full database compromise Initiative type: --- Sponsorship Seeking sponsor status: Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: koha-bugs@lists.koha-community.org Reporter: shukrulloh70@gmail.com QA Contact: testopia@bugs.koha-community.org An authenticated SQL Injection vulnerability was identified in the Koha staff interface. A low-privileged staff user can inject arbitrary SQL queries via a vulnerable request parameter processed by the GetDistinctValues functionality. The injection occurs due to unsafe handling of user-supplied input when constructing SQL queries without sufficient sanitization or strict validation. Successful exploitation allows an authenticated attacker to fully compromise the backend database. /cgi-bin/koha/suggestion/suggestion.pl displayby vulnerebl parameter -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593 shukrulloh70@gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|enhancement |critical Priority|P5 - low |P1 - high -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593 shukrulloh70@gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)| |25.12 released in| | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593 Lucas Gass (lukeg) <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|Koha |Staff interface Product|Koha security |Koha Group|Koha security | CC| |gmcharlt@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593 --- Comment #39 from Lucas Gass (lukeg) <lucas@bywatersolutions.com> --- (In reply to shukrulloh70 from comment #34)
(In reply to Jonathan Druart from comment #32)
Next minor releases are planned for next Monday (Jan 26)
hello any updates for new release? because I need report for my job CVE if it possible could you do it today please
This is now public. There is a very good blog post from the author of this patch set, I encourage you to read it and take some of David's advice: https://koha-community.gitlab.io/KohaAdvent/2025-12-09-security-all/ -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593 Lucas Gass (lukeg) <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)|26.05.00,25.11.01,24.11.12 |26.05.00,25.11.01,25.05.07, released in| |24.11.12 --- Comment #40 from Lucas Gass (lukeg) <lucas@bywatersolutions.com> --- Also pushed to 25.05.07! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593 shukrulloh70@gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)|26.05.00,25.11.01,25.05.07, | released in|24.11.12 | --- Comment #41 from shukrulloh70@gmail.com --- could you give some information how I should report cve please -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)| |26.05.00,25.11.01,25.05.07, released in| |24.11.12 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593 --- Comment #42 from David Cook <dcook@prosentient.com.au> --- (In reply to shukrulloh70 from comment #41)
could you give some information how I should report cve please
When you're submitting your request, I think you should include the URL to this bug report, and it would be useful in the report to say that the bug is fixed in versions 26.05.00, 25.11.01, 25.05.07, and 24.11.12 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593 Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to oldstable |Needs documenting --- Comment #43 from Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz> --- Hoping this is okay to close, changed to "Needs documenting" to get it off my list but feel free to change status if work/discussion is still needed -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593 shukrulloh70@gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- Alias| |Mothra -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Alias|Mothra | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593 shukrulloh70@gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- Alias| |Mothra -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593 --- Comment #44 from David Cook <dcook@prosentient.com.au> --- shukrulloh70@gmail.com why do you keep adding this Alias "Mothra"? It has no significance to Koha. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Alias|Mothra | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593 --- Comment #45 from shukrulloh70@gmail.com --- could you give me affected versions for CVE -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593 --- Comment #46 from David Cook <dcook@prosentient.com.au> --- (In reply to shukrulloh70 from comment #45)
could you give me affected versions for CVE
Thanks for asking. Under "Version(s) released in", it says the fix is in versions: 26.05.00,25.11.01,25.05.07,24.11.12 So affected versions would be 25.11.00, 25.05.06, 24.11.11, and lower. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593 Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs documenting |RESOLVED Resolution|--- |FIXED CC| |caroline.cyr-la-rose@inlibr | |o.com --- Comment #47 from Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com> --- This is a bug fix, nothing to change in the manual -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Authenticated SQL Injection |[CVE-2026-31844] |in staff side suggestions |Authenticated SQL Injection | |in staff side suggestions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593 --- Comment #48 from David Cook <dcook@prosentient.com.au> --- Thanks for your work on this one, Shukrulloh. I see online that this was your first CVE. Congratulations on that milestone, and thank you for respecting our process. We really appreciate it. I'll make sure to keep my eye open for more reports from you ;). -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593 --- Comment #49 from David Cook <dcook@prosentient.com.au> --- By the way, in future, if you can let us know the CVE ID when it's assigned, that would be helpful too. But very happy that you included the affected versions in the CVE report. It makes things much nicer for us, so thanks again! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41593 --- Comment #50 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #44)
shukrulloh70@gmail.com why do you keep adding this Alias "Mothra"? It has no significance to Koha.
I see now that Mothra is the handle you use online. Fair enough! If you update your Bugzilla account name you could put your full name and your alias/handle on there. -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org