Business Logic Errors in janeczku/calibre-web


Reported on

Dec 24th 2021


There is a possibility to create 2 public phasing shelfs that have the same name, which is a business logic error.

Steps To Reproduce

1.  Create a shelf (with empty name)
2.  Tick the share with everyone box
3.  Create another shelf (with empty name) 
4.  Tick the share with everyone box, it will prompt an error, and the shelf will not be created
5.  Untick the share with everyone box and save, the shelf will be created.
6.  Go to the edit shelf properties of the second shelf, and tick the share with everyone box 
7.  Save

And now there are two shelfs with the same name and are public phasing, which is not allowed by the application. However following the steps above can be achieved.

(POC Video) 

# Impact
This vulnerability is capable of design bypass, restriction bypass, business logic error and more depending on the application.

We are processing your report and will contact the janeczku/calibre-web team within 24 hours. 5 months ago
We have contacted a member of the janeczku/calibre-web team and are waiting to hear back 5 months ago
janeczku validated this vulnerability 5 months ago
siyah.A has been awarded the disclosure bounty
The fix bounty is now up for grabs
janeczku confirmed that a fix has been merged on 3e0d87 4 months ago
The fix bounty has been dropped
to join this conversation