CVE-2024-36058

Received Received - Intake

Time-Based SQL Injection in Koha Send Basket Allows Data Exposure

Publication date: 2026-04-07

Last updated on: 2026-04-09

Assigner: MITRE

Description

The Send Basket functionality in Koha Library before 23.05.10 is susceptible to Time-Based SQL Injection because it fails to sanitize the POST parameter bib_list in /cgi-bin/koha/opac-sendbasket.pl, allowing library users to read arbitrary data from the database.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-04-07

Last Modified

2026-04-09

Generated

2026-06-16

AI Q&A

2026-04-07

EPSS Evaluated

2026-06-15

NVD

CVE-2024-36058

EUVD

EUVD-2024-55539

Affected Vendors & Products

Vendor	Product	Version / Range
koha	koha	to 23.05.10 (exc)
koha	library	to 22.05.22 (exc)
koha	library	to 23.05.10 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2024-36058 is a time-based blind SQL injection vulnerability in the Koha Library Software versions prior to 22.05.22. It exists in the Send Basket functionality at the endpoint opac/opac-sendbasket.pl, specifically in the bib_list POST parameter.

The vulnerability occurs because the bib_list parameter is not properly sanitized before being used in an SQL query. This allows an authenticated, low-privilege library user to inject arbitrary SQL commands that cause the database to delay its response time.

By measuring these delays, an attacker can perform blind SQL injection to extract sensitive data from the database without directly seeing the query results.

Impact Analysis

This vulnerability allows an authenticated user with low privileges to read arbitrary data from the database by exploiting the time-based SQL injection.

Unauthorized access to sensitive information such as password reset tokens.
Potential hijacking of other user accounts using stolen credentials or tokens.
Exposure of confidential or private data stored in the database.

Detection Guidance

This vulnerability can be detected by sending a specially crafted POST request to the endpoint opac-sendbasket.pl with a payload in the bib_list parameter that triggers a database sleep command, causing a measurable delay in the server's response time.

For example, an authenticated user can log in, add a book to the basket, intercept the Send Basket request using a proxy tool like Burp Suite, and inject a payload such as: 1) AND (SELECT 1 FROM (SELECT(SLEEP(36)))x)-- - into the bib_list parameter.

If the server response is delayed by the expected interval (e.g., 36 seconds), this confirms the presence of the time-based blind SQL injection vulnerability.

Compliance Impact

This vulnerability allows unauthorized access to sensitive data in the Koha Library database through a time-based blind SQL injection attack. Such unauthorized data exposure can lead to breaches of confidentiality and data protection requirements mandated by standards like GDPR and HIPAA.

Specifically, attackers can access sensitive information such as password reset tokens, which could lead to account hijacking and further unauthorized data disclosure. This compromises the integrity and confidentiality of personal data, potentially resulting in non-compliance with regulations that require protection of user data and prompt breach notification.

Mitigation Strategies

To mitigate the vulnerability, immediately upgrade Koha Library Software to version 22.05.22 or later, where the issue has been addressed.

Until the upgrade can be performed, restrict access to the Send Basket functionality to trusted users only and monitor for unusual activity involving the bib_list parameter.

Additionally, consider using web application firewalls or input validation proxies to detect and block suspicious POST requests targeting the bib_list parameter.

Hi! I’m here to help you understand CVE-2024-36058. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2024-36058

Time-Based SQL Injection in Koha Send Basket Allows Data Exposure

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart