XSS Vulnerability in Calibre-Web Allows Arbitrary JavaScript Code Execution

CVE-2021-3988

6.1MEDIUM

Key Information

Vendor: Janeczku
Status: Janeczku/calibre-web
Vendor: CVE Published:; 15 November 2024

Summary

A Cross-site Scripting (XSS) vulnerability exists in janeczku/calibre-web, specifically in the file `edit_books.js`. The vulnerability occurs when editing book properties, such as uploading a cover or a format. The affected code directly inserts user input into the DOM without proper sanitization, allowing attackers to execute arbitrary JavaScript code. This can lead to various attacks, including stealing cookies. The issue is present in the code handling the `#btn-upload-cover` change event.

Affected Version(s)

janeczku/calibre-web <= unspecified

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Risk change from: 6.1 to: 5.7 - (MEDIUM)
Nov 20, 2024
Risk change from: null to: 5.7 - (MEDIUM)
Nov 15, 2024
Vulnerability published.
Nov 15, 2024
Vulnerability Reserved.
Nov 20, 2021

Collectors

NVD DatabaseMitre Database