CVE-2015-4639

high

Published 2017-07-21 · Modified 2026-05-13

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

8.8

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

8.8

Description

Cross-site scripting (XSS) vulnerability in opac-addbybiblionumber.pl in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, and 3.20.x before 3.20.1 allows remote attackers to inject arbitrary web script or HTML via a crafted list name.

Predictions

Exploit likelihood

92%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Application impact

Vendor	Product	Versions
koha	koha	`3.14.00`
koha	koha	`3.14.01`
koha	koha	`3.14.02`
koha	koha	`3.14.03`
koha	koha	`3.14.04`
koha	koha	`3.14.05`
koha	koha	`3.14.06`
koha	koha	`3.14.07`
koha	koha	`3.14.08`
koha	koha	`3.14.09`
koha	koha	`3.14.10`
koha	koha	`3.14.11`
koha	koha	`3.14.12`
koha	koha	`3.14.13`
koha	koha	`3.14.14`
koha	koha	`3.14.15`
koha	koha	`3.16.00`
koha	koha	`3.16.01`
koha	koha	`3.16.02`
koha	koha	`3.16.03`
koha	koha	`3.16.04`
koha	koha	`3.16.05`
koha	koha	`3.16.06`
koha	koha	`3.16.07`
koha	koha	`3.16.08`
koha	koha	`3.16.09`
koha	koha	`3.16.10`
koha	koha	`3.16.11`
koha	koha	`3.20.00`

References

CWEs

CWE-352

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.