XSS Vulnerability in Calibre-Web Allows Arbitrary JavaScript Code Execution

CVE-2021-3988

Summary

A Cross-site Scripting (XSS) vulnerability is present in the Janeczku Calibre-Web application, specifically within the edit_books.js file. This flaw arises during the process of editing book properties, such as the upload of cover images or formats. The vulnerability is due to the direct insertion of unsanitized user input into the Document Object Model (DOM), creating an avenue for attackers to execute arbitrary JavaScript code. Such exploitation may result in unauthorized actions, such as stealing user cookies and performing various malicious activities. This issue is found in the event handler associated with the #btn-upload-cover functionality, emphasizing the need for proper input validation and sanitization measures to mitigate security risks.

References