Improper Access Control in janeczku/calibre-web


Reported on

Nov 15th 2021


Although a user has no permissions about public shelves, he can create them.

Proof of Concept

The method create_shelf at does not check if the user has public shelf permissions for create it.

@shelf.route("/shelf/create", methods=["GET", "POST"])
def create_shelf():
    shelf = ub.Shelf()
    return create_edit_shelf(shelf, page_title=_(u"Create a Shelf"), page="shelfcreate") # directly creates the shelf without checking.

Steps to Reproduce

#1. As an admin, access to the admin panel to see the users list. One of them, called Ile, has no permissions about public shelves (indicated with a X).

#2. As user "ile", login and go to Create shelf option. Observe this user cannot select the box for "Share with public".

#3. Save the shelf with its name and intercepts the request.

#4. Add a parameter as follows: is_public=on Image 1

#5. Send the request and load the page both from admin and user "ile". See that a public shelf was created by this user. Image 2


The user does non-authorized actions.

We are processing your report and will contact the janeczku/calibre-web team within 24 hours. 19 days ago
We have contacted a member of the janeczku/calibre-web team and are waiting to hear back 18 days ago
We have sent a follow up to the janeczku/calibre-web team. We will try again in 7 days. 15 days ago
janeczku validated this vulnerability 14 days ago
Ileana Barrionuevo has been awarded the disclosure bounty
The fix bounty is now up for grabs
janeczku confirmed that a fix has been merged on bcdc97 14 days ago
The fix bounty has been dropped