XSS Vulnerability in Calibre-Web Allows Arbitrary JavaScript Code Execution

CVE-2021-3988

What is CVE-2021-3988?

A Cross-site Scripting (XSS) vulnerability is present in the Janeczku Calibre-Web application, specifically within the edit_books.js file. This flaw arises during the process of editing book properties, such as the upload of cover images or formats. The vulnerability is due to the direct insertion of unsanitized user input into the Document Object Model (DOM), creating an avenue for attackers to execute arbitrary JavaScript code. Such exploitation may result in unauthorized actions, such as stealing user cookies and performing various malicious activities. This issue is found in the event handler associated with the #btn-upload-cover functionality, emphasizing the need for proper input validation and sanitization measures to mitigate security risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References