CVE-2024-24337 is a high-severity CSV Injection vulnerability identified in the Koha Library Management System, specifically affecting versions 23.05.05 and earlier. The vulnerability exists in two endpoints: '/members/moremember.pl' and '/admin/aqbudgets.pl'. These endpoints handle CSV export functionality related to the 'Budget' and 'Patrons Member' components. The flaw allows an attacker to inject Dynamic Data Exchange (DDE) commands into CSV files generated by these endpoints. When a user opens the maliciously crafted CSV file in spreadsheet software such as Microsoft Excel, the embedded DDE commands can execute arbitrary code on the victim's machine. This type of injection exploits the way spreadsheet applications interpret certain cell values starting with special characters (e.g., '=', '@', '+', or '-') as formulas, which can be leveraged to trigger DDE execution. The CVSS 3.1 base score of 8.8 reflects the vulnerability's high impact and ease of exploitation: it requires no privileges (PR:N), can be exploited remotely over the network (AV:N), and only requires user interaction in the form of opening the CSV file (UI:R). The vulnerability impacts confidentiality, integrity, and availability, as arbitrary code execution can lead to data theft, manipulation, or system compromise. Although no known exploits are currently reported in the wild, the vulnerability's nature and high score indicate a significant risk, especially in environments where CSV exports are commonly used and trusted by users. The lack of available patches at the time of reporting underscores the urgency for organizations to implement mitigations.

For European organizations, particularly libraries, educational institutions, and public sector entities using Koha Library Management System, this vulnerability poses a substantial risk. Exploitation could lead to unauthorized code execution on systems of staff or administrators who handle CSV exports, potentially resulting in data breaches, ransomware deployment, or disruption of library services. Given the widespread adoption of Koha in Europe, especially in countries with strong public library networks, the threat could affect sensitive patron data and financial records managed within the system. The social engineering aspect—requiring a user to open a CSV file—means that phishing or malicious file distribution campaigns could be effective attack vectors. The impact extends beyond individual organizations to potentially compromise interconnected systems, eroding trust in public digital services and causing operational downtime.

1. Immediate mitigation includes educating users to avoid opening CSV files from untrusted or unexpected sources, especially those exported from Koha's affected endpoints. 2. Configure spreadsheet applications to disable automatic formula execution or DDE functionality where possible. For example, in Microsoft Excel, disable 'Update Links to other documents' and disable DDE execution via Group Policy or application settings. 3. Implement input validation and sanitization on the server side to neutralize any formula injection attempts by escaping or removing leading characters ('=', '+', '-', '@') in CSV export fields. 4. Monitor and restrict access to the vulnerable endpoints to trusted personnel only, and audit CSV export logs for unusual activity. 5. Apply any forthcoming official patches from Koha promptly once available. 6. Consider using alternative export formats (e.g., PDF or sanitized text files) for sensitive data until the vulnerability is resolved. 7. Employ endpoint protection solutions capable of detecting and blocking suspicious script execution triggered by spreadsheet applications.