Insufficient Session Expiration in janeczku/calibre-web


Reported on

Jul 21st 2021

✍️ Description

The app does not expire the user's session after the logout. It is possible to continue using the session even when the user has logged out.

🕵️‍♂️ Proof of Concept

1. Login as a user at /login.
2. Select logout, intercepting and copying the user's cookie.
3. After this logout, send a new request to /me with the copied cookies.
4. See that is still possible to get information from the site.

The method logout_user() at line 1575 from the file does not expire the session properly.

💥 Impact

This could allow potential unwanted actions. If the account is compromised in some way (e.g, someone stole the cookies, accessed the browser, etc), a malicious actor could do actions in name of the user even when he has been logged out.

Jamie Slome
2 years ago


I have now granted the maintainer access to the page.

Ozzie Isaacs
2 years ago

Seems to be a known problem from flask-login

Ozzie Isaacs validated this vulnerability 2 years ago
Ileana Barrionuevo has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have contacted a member of the janeczku/calibre-web team and are waiting to hear back 2 years ago
Ozzie Isaacs
2 years ago

@admin: Looks I lost the email where I can report the problem fixed. (Commit for fix was this one: Would be great if you could handle this somehow

Jamie Slome marked this as fixed with commit a63baa 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Jamie Slome
2 years ago


Sorted! 🎊

to join this conversation