Bug ID: 19061
           Summary: sql injection vulnerability in
 Change sponsored?: ---
           Product: Koha
           Version: master
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5 - low
         Component: Reports
        QA Contact:

two parameters are embedded in the sql statement executed by this report,  so
that sending a single quote as the value for branch generates a return of a
mysql error. Parameters should always be passed via placeholders in the
statement and as parameters to the exec call.
While not a major vulnerability this will be picked up by penetration testing

You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
Koha-bugs mailing list
website :
git :
bugs :

Reply via email to