Cross-site Scripting (XSS) - Stored in janeczku/calibre-web

Valid

Reported on

Aug 22nd 2021


💥 BUG

stored xss via book description

💥 STEP TO REPRODUCE

Lets there is two user Admin and user-B . user-B has edit permission in book.

1. Now goto user-B account and visit http://localhost:8083/admin/book/12 and edit the metadata .
During edit put bellow xss payload in book Description field and save it .

xss"'><img src=x onerror=alert()>

2. Now admin open above book url http://localhost:8083/book/12 and see xss is executed

💥 VIDEO

https://drive.google.com/file/d/1U1nx7N1jKdG2MNTKpYFTynRdSRWHO4kz/view?usp=sharing

💥 IMPACT

Xss allow to execute arbitary javscritp in admin account

We have contacted a member of the janeczku/calibre-web team and are waiting to hear back 9 months ago
janeczku validated this vulnerability 8 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Ozzie Isaacs
a month ago

@admin: Sorry I'm only the maintainer and not the owner of calibre-web repository and I deleted the email with the access token to mark this issue as fixed, could you please do this for me. I was fixed in version 0.6.13 with commit: https://github.com/janeczku/calibre-web/commit/5c19a8aacc393549a1f4c1f3943d25c1f5f5736a The fix bounty can be dropped

Jamie Slome confirmed that a fix has been merged on 5c19a8 a month ago
The fix bounty has been dropped
Jamie Slome
a month ago

Admin


Sorted 👍

to join this conversation