Business Logic Errors in janeczku/calibre-web

Valid

Reported on

Dec 24th 2021

Description

There is a possibility to create 2 public phasing shelfs that have the same name, which is a business logic error.

Steps To Reproduce

1.  Create a shelf (with empty name)
2.  Tick the share with everyone box
3.  Create another shelf (with empty name) 
4.  Tick the share with everyone box, it will prompt an error, and the shelf will not be created
5.  Untick the share with everyone box and save, the shelf will be created.
6.  Go to the edit shelf properties of the second shelf, and tick the share with everyone box 
7.  Save

And now there are two shelfs with the same name and are public phasing, which is not allowed by the application. However following the steps above can be achieved.

(POC Video)
https://drive.google.com/file/d/1MsDyL7Vezl0jmtkdfbd0uiLcMqS_OqV7/view?usp=sharing 

# Impact
This vulnerability is capable of design bypass, restriction bypass, business logic error and more depending on the application.

video

We are processing your report and will contact the janeczku/calibre-web team within 24 hours. 5 months ago

We have contacted a member of the janeczku/calibre-web team and are waiting to hear back 5 months ago

janeczku validated this vulnerability 5 months ago

siyah.A has been awarded the disclosure bounty

The fix bounty is now up for grabs

janeczku confirmed that a fix has been merged on 3e0d87 4 months ago

The fix bounty has been dropped

to join this conversation