CVE-2024-36058: n/a
The Send Basket functionality in Koha Library before 23.05.10 is susceptible to Time-Based SQL Injection because it fails to sanitize the POST parameter bib_list in /cgi-bin/koha/opac-sendbasket.pl, allowing library users to read arbitrary data from the database.
AI Analysis
Technical Summary
The Send Basket feature in Koha Library prior to version 23.05.10 contains a time-based SQL injection vulnerability due to improper sanitization of the POST parameter bib_list in the script /cgi-bin/koha/opac-sendbasket.pl. This allows unauthenticated attackers to extract arbitrary data from the backend database by leveraging time delays in SQL queries. The vulnerability is tracked as CVE-2024-36058 with a critical CVSS 3.1 score of 9.8, reflecting its potential for full compromise of confidentiality, integrity, and availability. No vendor advisory or patch information is currently provided, and the software is not a cloud service, so remediation depends on vendor patch releases or user mitigations.
Potential Impact
Successful exploitation of this vulnerability allows an unauthenticated attacker to read arbitrary data from the Koha Library database, potentially exposing sensitive information. The CVSS score of 9.8 indicates critical impact affecting confidentiality, integrity, and availability of the affected system. There are no reports of active exploitation in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting access to the vulnerable endpoint and monitoring for suspicious activity related to the Send Basket functionality. Avoid exposing the affected interface to untrusted users where possible.
CVE-2024-36058: n/a
Description
The Send Basket functionality in Koha Library before 23.05.10 is susceptible to Time-Based SQL Injection because it fails to sanitize the POST parameter bib_list in /cgi-bin/koha/opac-sendbasket.pl, allowing library users to read arbitrary data from the database.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Send Basket feature in Koha Library prior to version 23.05.10 contains a time-based SQL injection vulnerability due to improper sanitization of the POST parameter bib_list in the script /cgi-bin/koha/opac-sendbasket.pl. This allows unauthenticated attackers to extract arbitrary data from the backend database by leveraging time delays in SQL queries. The vulnerability is tracked as CVE-2024-36058 with a critical CVSS 3.1 score of 9.8, reflecting its potential for full compromise of confidentiality, integrity, and availability. No vendor advisory or patch information is currently provided, and the software is not a cloud service, so remediation depends on vendor patch releases or user mitigations.
Potential Impact
Successful exploitation of this vulnerability allows an unauthenticated attacker to read arbitrary data from the Koha Library database, potentially exposing sensitive information. The CVSS score of 9.8 indicates critical impact affecting confidentiality, integrity, and availability of the affected system. There are no reports of active exploitation in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting access to the vulnerable endpoint and monitoring for suspicious activity related to the Send Basket functionality. Avoid exposing the affected interface to untrusted users where possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2024-05-19T00:00:00.000Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d5314faaed68159a339914
Added to database: 4/7/2026, 4:31:11 PM
Last enriched: 4/15/2026, 12:32:09 PM
Last updated: 5/22/2026, 1:39:02 PM
Views: 40
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.