Cross-site Scripting (XSS) - Stored in janeczku/calibre-web
Aug 22nd 2021
stored xss via book description
💥 STEP TO REPRODUCE
Lets there is two user Admin and user-B . user-B has edit permission in book.
1. Now goto user-B account and visit
http://localhost:8083/admin/book/12 and edit the metadata .
During edit put bellow xss payload in book
Description field and save it .
xss"'><img src=x onerror=alert()>
2. Now admin open above book url
http://localhost:8083/book/12 and see xss is executed
Xss allow to execute arbitary javscritp in admin account