Browse Source
There is a security hole in 2 scripts that are used by the UI to edit holidays. To test: 1) Go to Tools -> Calendar, for Centerville Check no holiday for 30/4/2020 2) To add a new holiday without login execute a curl command with necessary parameters 3) Reload page from 1), verify the new holiday edit and delete the holiday 4) Apply the patch 5) Do 2) again, this time you get a lengthy output, with the magic words: <title>Koha › Log in to Koha </title> Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>20.05.x
2 changed files with 5 additions and 0 deletions
Loading…
Reference in new issue