slims/slims8_akasia

GitHub

github.com

Releases1

Frequency

Last Release over 5 years ago

Stars89

SLiMS 8 Akasia official source code repository

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2021-45791 ↗	Mar 17, 2022Thursday, 17 March 2022, 11:15	8.8 HIGH	6.5 MEDIUM
Slims8 Akasia 8.3.1 is affected by SQL injection in /admin/modules/bibliography/index.php, /admin/modules/membership/member_type.php, /admin/modules/system/user_group.php, and /admin/modules/membership/index.php through the dir parameter. It can be used by remotely authenticated librarian users.
CVE-2018-12654 ↗	Jun 22, 2018Friday, 22 June 2018, 15:29	—	4.3 MEDIUM
Reflected Cross-Site Scripting (XSS) exists in the Bibliography module in SLiMS 8 Akasia 8.3.1 via an admin/modules/bibliography/index.php?keywords= URI.
CVE-2018-12655 ↗	Jun 22, 2018Friday, 22 June 2018, 15:29	—	4.3 MEDIUM
Reflected Cross-Site Scripting (XSS) exists in the Circulation module in SLiMS 8 Akasia 8.3.1 via an admin/modules/circulation/loan_rules.php?keywords= URI, a related issue to CVE-2017-7242.
CVE-2018-12656 ↗	Jun 22, 2018Friday, 22 June 2018, 15:29	—	4.3 MEDIUM
Reflected Cross-Site Scripting (XSS) exists in the Membership module in SLiMS 8 Akasia 8.3.1 via an admin/modules/membership/index.php?keywords= URI.
CVE-2018-12657 ↗	Jun 22, 2018Friday, 22 June 2018, 15:29	—	4.3 MEDIUM
Reflected Cross-Site Scripting (XSS) exists in the Master File module in SLiMS 8 Akasia 8.3.1 via an admin/modules/master_file/rda_cmc.php?keywords= URI.
CVE-2018-12658 ↗	Jun 22, 2018Friday, 22 June 2018, 15:29	6.1 MEDIUM	4.3 MEDIUM
Reflected Cross-Site Scripting (XSS) exists in the Stock Take module in SLiMS 8 Akasia 8.3.1 via an admin/modules/stock_take/index.php?keywords= URI.
CVE-2018-12659 ↗	Jun 22, 2018Friday, 22 June 2018, 15:29	—	6.8 MEDIUM
SLiMS 8 Akasia 8.3.1 allows remote attackers to bypass the CSRF protection mechanism and obtain admin access by omitting the csrf_token parameter.
CVE-2017-12584 ↗	Aug 6, 2017Sunday, 6 August 2017, 03:29	8.8 HIGH	6.8 MEDIUM
There is no CSRF mitigation in SLiMS 8 Akasia through 8.3.1. Also, an entire user profile (including the password) can be updated without sending the current password. This allows remote attackers to trick a user into changing to an attacker-controlled password, a complete account takeover, via the passwd1 and passwd2 fields in an admin/modules/system/app_user.php changecurrent=true operation.
CVE-2017-12585 ↗	Aug 6, 2017Sunday, 6 August 2017, 03:29	—	6.5 MEDIUM
SLiMS 8 Akasia through 8.3.1 has SQL injection in admin/AJAX_lookup_handler.php (tableName and tableFields parameters), admin/AJAX_check_id.php, and admin/AJAX_vocabolary_control.php. It can be exploited by remote authenticated librarian users.
CVE-2017-12586 ↗	Aug 6, 2017Sunday, 6 August 2017, 03:29	—	4 MEDIUM
SLiMS 8 Akasia through 8.3.1 has an arbitrary file reading issue because of directory traversal in the url parameter to admin/help.php. It can be exploited by remote authenticated librarian users.