Exposure of Private Personal Information to an Unauthorized Actor in janeczku/calibre-web

Valid

Reported on

Jul 22nd 2021


✍️ Description

A user can see the name of another user's private shelf through a forbidden error.

🕵️‍♂️ Proof of Concept

  1. As user 1, try to add a book to a user 2's shelf: GET /shelf/add/2/2
  2. See the returned error: Sorry you are not allowed to add a book to the the shelf: shelf test2 (This is the name of user2's shelf, which is private). See image

The line 75 and 78 should remove the shelfnames.

💥 Impact

This vulnerability is capable of reavealing private info to an unauthorized user.

Occurences

4 months ago
Ziding Zhang
4 months ago

Admin


Hey Ileana, I've just contacted the calibre-web team re: this report. Waiting to hear back!

We have contacted a member of the janeczku/calibre-web team and are waiting to hear back 4 months ago
We have contacted a member of the janeczku/calibre-web team and are waiting to hear back 4 months ago
Ozzie Isaacs validated this vulnerability 4 months ago
Ileana Barrionuevo has been awarded the disclosure bounty
The fix bounty is now up for grabs
Ozzie Isaacs confirmed that a fix has been merged on c7b057 4 months ago
Ileana Barrionuevo has been awarded the fix bounty