CVE-2024-36058

Critical

Published: 07 April 2026

Published

07 April 2026

Modified

09 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 28.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The Send Basket functionality in Koha Library before 23.05.10 is susceptible to Time-Based SQL Injection because it fails to sanitize the POST parameter bib_list in /cgi-bin/koha/opac-sendbasket.pl, allowing library users to read arbitrary data from the database.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation and sanitization of untrusted inputs like the bib_list POST parameter to prevent time-based SQL injection attacks.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and remediation of known flaws, such as upgrading Koha to version 23.05.10 or later to fix the SQL injection vulnerability.

SI-9 Information Input Restrictions good match

prevent

Enforces restrictions on information inputs to limit them to expected types, formats, and content, blocking malicious SQL payloads in the bib_list parameter.

Security SummaryAI

CVE-2024-36058 is a time-based SQL injection vulnerability in the Send Basket functionality of Koha Library software versions prior to 23.05.10. The issue stems from inadequate sanitization of the POST parameter bib_list in the script /cgi-bin/koha/opac-sendbasket.pl, enabling attackers to manipulate database queries. Classified under CWE-89 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it poses a critical risk due to its high impact on confidentiality, integrity, and availability.

Any unauthenticated library user can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting malicious payloads in the bib_list parameter, attackers can extract arbitrary data from the database through timing-based blind SQL injection techniques, potentially compromising sensitive library patron information, bibliographic records, or other backend data stores.

Koha release notes for versions 23.05.10 and 23.05.11 document the fix, recommending immediate upgrades to these or later versions to mitigate the vulnerability. A proof-of-concept is available in the associated GitHub research repository at https://github.com/hacklantic/Research/tree/main/CVE-2024-36058, highlighting the need for input validation and prepared statements in affected deployments.

Details

CWE(s): CWE-89

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

CVE-2024-36058 is a SQL injection in a public-facing web application (Koha opac-sendbasket.pl), enabling unauthenticated remote exploitation (T1190) to extract arbitrary data from databases via time-based blind SQLi (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/hacklantic/Research/tree/main/CVE-2024-36058
cve@mitre.org
https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_10.md
cve@mitre.org
https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_11.md
cve@mitre.org
https://koha-community.org/koha-22-05-22-released/
cve@mitre.org