Exposure of Private Personal Information to an Unauthorized Actor in janeczku/calibre-web
Jul 22nd 2021
A user can see the name of another user's private shelf through a forbidden error.
🕵️♂️ Proof of Concept
- As user 1, try to add a book to a user 2's shelf:
- See the returned error:
Sorry you are not allowed to add a book to the the shelf: shelf test2(This is the name of user2's shelf, which is private). See image
The line 75 and 78 should remove the shelfnames.
This vulnerability is capable of reavealing private info to an unauthorized user.