Exposure of Private Personal Information to an Unauthorized Actor in janeczku/calibre-web


Reported on

Jul 22nd 2021

✍️ Description

A user can see the name of another user's private shelf through a forbidden error.

🕵️‍♂️ Proof of Concept

  1. As user 1, try to add a book to a user 2's shelf: GET /shelf/add/2/2
  2. See the returned error: Sorry you are not allowed to add a book to the the shelf: shelf test2 (This is the name of user2's shelf, which is private). See image

The line 75 and 78 should remove the shelfnames.

💥 Impact

This vulnerability is capable of reavealing private info to an unauthorized user.


a year ago
a year ago


Hey Ileana, I've just contacted the calibre-web team re: this report. Waiting to hear back!

We have contacted a member of the janeczku/calibre-web team and are waiting to hear back a year ago
Ozzie Isaacs validated this vulnerability a year ago
Ileana Barrionuevo has been awarded the disclosure bounty
The fix bounty is now up for grabs
Ozzie Isaacs confirmed that a fix has been merged on c7b057 a year ago
Ileana Barrionuevo has been awarded the fix bounty
to join this conversation