Cross-site Scripting (XSS) - Stored in janeczku/calibre-web


Reported on

Aug 22nd 2021


stored xss via book description


Lets there is two user Admin and user-B . user-B has edit permission in book.

1. Now goto user-B account and visit http://localhost:8083/admin/book/12 and edit the metadata .
During edit put bellow xss payload in book Description field and save it .

xss"'><img src=x onerror=alert()>

2. Now admin open above book url http://localhost:8083/book/12 and see xss is executed



Xss allow to execute arbitary javscritp in admin account

We have contacted a member of the janeczku/calibre-web team and are waiting to hear back 2 years ago
janeczku validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Ozzie Isaacs
a year ago

@admin: Sorry I'm only the maintainer and not the owner of calibre-web repository and I deleted the email with the access token to mark this issue as fixed, could you please do this for me. I was fixed in version 0.6.13 with commit: The fix bounty can be dropped

Jamie Slome marked this as fixed in 0.6.13 with commit 5c19a8 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Jamie Slome
a year ago


Sorted 👍

to join this conversation