CVE-2024-28740 identifies a Cross Site Scripting (XSS) vulnerability in the Koha Integrated Library System (ILS), specifically in the additonal-contents.pl component. Koha is an open-source library management software widely used by libraries globally to manage cataloging, circulation, and patron services. This vulnerability allows a remote attacker to inject malicious scripts that execute in the context of a victim's browser when they interact with the vulnerable component. The CVSS 3.1 base score is 6.1, indicating a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. The impact affects confidentiality and integrity partially (C:L, I:L), but not availability (A:N). Since the vulnerability is an XSS flaw (CWE-79), it can be exploited to steal session cookies, perform actions on behalf of the user, or deliver further malware payloads. The affected versions include Koha 23.05 and all earlier releases, with no patches or exploit code publicly available at this time. The vulnerability was reserved in March 2024 and published in August 2024. Given Koha's deployment in public and academic libraries, exploitation could lead to unauthorized access to user data or manipulation of library records.

The primary impact of this vulnerability is the potential compromise of user confidentiality and data integrity within Koha ILS environments. Successful exploitation could allow attackers to execute arbitrary scripts in the context of authenticated users, potentially leading to session hijacking, theft of patron information, or unauthorized actions such as modifying library records or user accounts. While availability is not directly impacted, the loss of trust and integrity in library systems could disrupt operations and user confidence. Since Koha is used worldwide, especially in public, academic, and research libraries, the threat extends to any organization relying on this software for critical library management functions. The requirement for user interaction limits automated exploitation but does not eliminate risk, particularly in environments with less security awareness. No known exploits in the wild reduce immediate risk, but the medium CVSS score suggests timely mitigation is necessary to prevent future attacks.

Organizations using Koha ILS 23.05 or earlier should immediately review and apply any available patches or updates from the Koha development community once released. In the absence of official patches, administrators should implement input validation and output encoding on the additonal-contents.pl component to sanitize user-supplied data and prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the Koha interface. Educate users about the risks of interacting with suspicious links or content within the library system to reduce the likelihood of successful exploitation requiring user interaction. Regularly audit and monitor web application logs for unusual activity indicative of attempted XSS attacks. Consider isolating the Koha web interface behind web application firewalls (WAFs) that can detect and block XSS payloads. Finally, maintain an incident response plan tailored to web application attacks to quickly address any exploitation attempts.