GSA_kwCzR0hTQS1yNzM1LTlnYzYtMmh2cc4ABBYj

Moderate EPSS: 0.00056% (0.17543 Percentile) EPSS:

Permalink JSON

Cross-site Scripting (XSS) - DOM in janeczku/calibre-web

Affected Packages	Affected Versions	Fixed Versions
pypi:calibreweb	< 0.6.15	0.6.15
0 Dependent packages 1 Dependent repositories 3,036 Downloads last month Affected Version Ranges All affected versions 0.6.12, 0.6.13, 0.6.14 All unaffected versions 0.6.15, 0.6.16, 0.6.17, 0.6.18, 0.6.19, 0.6.20, 0.6.21, 0.6.22, 0.6.23, 0.6.24

A Cross-site Scripting (XSS) vulnerability exists in janeczku/calibre-web, specifically in the file edit_books.js. The vulnerability occurs when editing book properties, such as uploading a cover or a format. The affected code directly inserts user input into the DOM without proper sanitization, allowing attackers to execute arbitrary JavaScript code. This can lead to various attacks, including stealing cookies. The issue is present in the code handling the #btn-upload-cover change event.

References:

Identifiers

GHSA-r735-9gc6-2hvq

CVE-2021-3988

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00056

EPSS Percentile: 0.17543

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/janeczku/calibre-web

Date and time

Published

9 months ago

Updated

8 months ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories