Kavita Reading Server Vulnerability: Malicious Ebooks Can Execute Code
CVE-2024-39307

3.5LOW

Key Information:

Vendor: Kareadita
Status: Kavita
Vendor: CVE Published:; 28 June 2024

What is CVE-2024-39307?

Kavita is a cross platform reading server. Opening an ebook with malicious scripts inside leads to code execution inside the browsing context. Kavita doesn't sanitize or sandbox the contents of epubs, allowing scripts inside ebooks to execute. This vulnerability was patched in version 0.8.1.

Affected Version(s)

Kavita <= 0.8.0

References

https://github.com/Kareadita/Kavita/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.5

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 28, 2024
Vulnerability Reserved
Jun 21, 2024

CVE-2024-39307 Data

JSON