Koha/koha-tmpl/intranet-tmpl/prog/en at 0c3c162f767f5587f5fad7375151f8efca3689b3 - Koha-community/Koha - Koha: The world's first free and open source library system

History

Jonathan Druart 0c3c162f76 Bug 17905: FIX CSRF in member-flags If an attacker can get an authenticated Koha user to visit their page with the url below, privilege escalation is possible The exploit can be simulated triggering /cgi-bin/koha/members/member-flags.pl?member=42&newflags=1&flag=superlibrarian Test plan: Trigger the url above => Without this patch, 42 is now superlibrarian => With this patch, you will get the "Wrong CSRF token" error. This vulnerability has been reported by MDSec. Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>		2017-01-30 11:24:12 +00:00
..
data	Bug 16608 - Missing entity nbsp in some XML files	2016-06-10 17:40:55 +00:00
includes	Bug 5784 [QA Followup] - Move link to breadcrumbs	2017-01-19 12:05:51 +00:00
js	Bug 16795 - Patron categories: Accept integers only for enrolment period and age limits	2016-07-08 13:15:31 +00:00
modules	Bug 17905: FIX CSRF in member-flags	2017-01-30 11:24:12 +00:00
xslt	Bug 15460 Adding spaces after subfields c and h of 245	2017-01-19 13:36:18 +00:00
columns.def	Bug 17196: Remove occurrence of marcxml in columns.def	2017-01-13 13:49:30 +00:00