Improperly Controlled Modification of Dynamically-Determined Object Attributes in janeczku/calibre-web


Reported on

Jul 23rd 2021

✍️ Description

The attribute name is not properly restricted so a user can change his username even when the view does not allow to change it.

🕵️‍♂️ Proof of Concept

//The method change_profile() saves also de name if it is present in the request. It does not check if the user has the permission to change it. = check_username(to_save["name"])
  1. Go to user profile.
  2. Change the email address or any data.
  3. Intercept the request POST /me
  4. In the request body, add the values name=name+changed! to the other attributes. Image
  5. Send the request.
  6. See that the change has been made. Image

💥 Impact

This vulnerability is capable of allow a non authorized change the username.


We have contacted a member of the janeczku/calibre-web team and are waiting to hear back 2 years ago
Ozzie Isaacs validated this vulnerability 2 years ago
Ileana Barrionuevo has been awarded the disclosure bounty
The fix bounty is now up for grabs
Ozzie Isaacs marked this as fixed with commit 3c8bfc 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation