Exposure of Private Personal Information to an Unauthorized Actor in janeczku/calibre-web


Reported on

Jul 22nd 2021

✍️ Description

A user can see the name of another user's private shelf through a forbidden error.

🕵️‍♂️ Proof of Concept

  1. As user 1, try to add a book to a user 2's shelf: GET /shelf/add/2/2
  2. See the returned error: Sorry you are not allowed to add a book to the the shelf: shelf test2 (This is the name of user2's shelf, which is private). See image

The line 75 and 78 should remove the shelfnames.

💥 Impact

This vulnerability is capable of reavealing private info to an unauthorized user.


2 years ago
2 years ago


Hey Ileana, I've just contacted the calibre-web team re: this report. Waiting to hear back!

We have contacted a member of the janeczku/calibre-web team and are waiting to hear back 2 years ago
Ozzie Isaacs validated this vulnerability 2 years ago
Ileana Barrionuevo has been awarded the disclosure bounty
The fix bounty is now up for grabs
Ozzie Isaacs marked this as fixed with commit c7b057 2 years ago
Ileana Barrionuevo has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation