{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-36058", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-07T15:54:36.430Z", "dateReserved": "2024-05-19T00:00:00.000Z", "datePublished": "2026-04-07T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-07T15:54:36.430Z"}, "descriptions": [{"lang": "en", "value": "The Send Basket functionality in Koha Library before 23.05.10 is susceptible to Time-Based SQL Injection because it fails to sanitize the POST parameter bib_list in /cgi-bin/koha/opac-sendbasket.pl, allowing library users to read arbitrary data from the database."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_10.md"}, {"url": "https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_11.md"}, {"url": "https://koha-community.org/koha-22-05-22-released/"}, {"url": "https://github.com/hacklantic/Research/tree/main/CVE-2024-36058"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Send Basket functionality in Koha Library before 23.05.10 is susceptible to Time-Based SQL Injection because it fails to sanitize the POST parameter bib_list in /cgi-bin/koha/opac-sendbasket.pl, allowing library users to read arbitrary data from the database."}], "id": "CVE-2024-36058", "lastModified": "2026-04-08T21:27:00.663", "metrics": {}, "published": "2026-04-07T17:16:25.050", "references": [{"source": "cve@mitre.org", "url": "https://github.com/hacklantic/Research/tree/main/CVE-2024-36058"}, {"source": "cve@mitre.org", "url": "https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_10.md"}, {"source": "cve@mitre.org", "url": "https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_11.md"}, {"source": "cve@mitre.org", "url": "https://koha-community.org/koha-22-05-22-released/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,23.05.10)"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "koha", "vendor": "koha-community"}], "analysis": {"en": {"generated_at": "2026-04-07T22:54:55.546396+00:00", "value": {"mitigation_remediation": ["Upgrade Koha to version 23.05.10 or newer, where the bib_list parameter is properly sanitized."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Database Read via SQL Injection"}, "threat_synthesis": {"affected_systems": "Koha Library, the open\u2011source integrated library system widely used by schools and public libraries. All releases before 23.05.10 are affected. The commit log and release notes for 23.05.10 and later indicate that the bib_list input is now properly sanitized, thereby fixing the issue.", "description_and_impact": "The Koha library system\u2019s Send Basket feature, prior to version 23.05.10, allows a time\u2011based SQL injection through the POST parameter bib_list sent to /cgi-bin/koha/opac-sendbasket.pl. The code fails to sanitize this input, enabling an attacker to craft queries that return arbitrary database data based on response timing. This flaw can expose catalog contents, user data, or other sensitive information, thereby compromising confidentiality. The underlying weakness is an input validation error that permits SQL query manipulation, identified as an SQL injection vulnerability.", "risk_and_exploitability": "Based on the description, it is inferred that the attack vector is a web\u2011based SQL injection that does not require authentication, as the Send Basket endpoint accepts unauthenticated POST requests from any user who can access the catalog. The vulnerability\u2019s CVSS score is not present in the data, but the exploit is feasible for anyone able to reach the endpoint. The EPSS score is not provided and the vulnerability is not cataloged by CISA, suggesting that while exploitation is possible, active public attacker activity is not currently documented. Nonetheless, because the flaw exposes arbitrary database content and can be triggered by simple HTTP requests, the potential impact is high and the risk remains significant."}}}}, "created": "2026-04-08T19:38:36.522393+00:00", "title": "Time\u2011Based SQL Injection in Koha Library's Send Basket Functionality", "updated": "2026-04-08T19:50:19.411792+00:00", "vendors": ["koha-community", "koha-community$PRODUCT$koha"], "weaknesses": ["CWE-89", "CWE-20"]}