Cross-site Scripting (XSS) - Stored in janeczku/calibre-web
Aug 22nd 2021
stored xss via book description
💥 STEP TO REPRODUCE
Lets there is two user Admin and user-B . user-B has edit permission in book.
1. Now goto user-B account and visit
http://localhost:8083/admin/book/12 and edit the metadata .
During edit put bellow xss payload in book
Description field and save it .
xss"'><img src=x onerror=alert()>
2. Now admin open above book url
http://localhost:8083/book/12 and see xss is executed
Xss allow to execute arbitary javscritp in admin account
@admin: Sorry I'm only the maintainer and not the owner of calibre-web repository and I deleted the email with the access token to mark this issue as fixed, could you please do this for me. I was fixed in version 0.6.13 with commit: https://github.com/janeczku/calibre-web/commit/5c19a8aacc393549a1f4c1f3943d25c1f5f5736a The fix bounty can be dropped