Insufficient Session Expiration in janeczku/calibre-web


Reported on

Jul 21st 2021

✍️ Description

The app does not expire the user's session after the logout. It is possible to continue using the session even when the user has logged out.

🕵️‍♂️ Proof of Concept

1. Login as a user at /login.
2. Select logout, intercepting and copying the user's cookie.
3. After this logout, send a new request to /me with the copied cookies.
4. See that is still possible to get information from the site.

The method logout_user() at line 1575 from the file does not expire the session properly.

💥 Impact

This could allow potential unwanted actions. If the account is compromised in some way (e.g, someone stole the cookies, accessed the browser, etc), a malicious actor could do actions in name of the user even when he has been logged out.

Jamie Slome
a year ago


I have now granted the maintainer access to the page.

Ozzie Isaacs
a year ago

Seems to be a known problem from flask-login

Ozzie Isaacs validated this vulnerability a year ago
Ileana Barrionuevo has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have contacted a member of the janeczku/calibre-web team and are waiting to hear back a year ago
Ozzie Isaacs
a year ago

@admin: Looks I lost the email where I can report the problem fixed. (Commit for fix was this one: Would be great if you could handle this somehow

Jamie Slome confirmed that a fix has been merged on a63baa a year ago
The fix bounty has been dropped
Jamie Slome
a year ago


Sorted! 🎊

to join this conversation