Cross-site Scripting (XSS) - Reflected in janeczku/calibre-web
Reported on
Jan 17th 2022
Description
There is a reflected XSS vulnerability on the site calibre-web.
Proof of Concept
1. go to the calibre e-book management
2. create a new book give the title name <script src=1 href=1 onerror="javascript:alert(300)"></script>
3. and give the title sort name <script src=1 href=1 onerror="javascript:alert(300)"></script>
4. save and go to the website
5.go to Author
6.press one of the books
7. then right click and press inspect element
8. then press Author/strored
Video POC: https://drive.google.com/file/d/1umL5Vk5ezXxIA3nm43fPWl-FiD0Uy77z/view?usp=sharing
Impact
Reflected XSS allows attackers to misguide vistors of a website, steal cookies, and send arbitrary requests.
I can't reproduce it. There is something wrong in the code, I agree to that. If I open the author view with the book I see a '">' on top of the cover, and clicking on the cover no longer opens a dialog (books detail dialog), instead the books detail view (the one with the blue Download buttons) it opened as new page. No java-script is executed. I tested it with the newest commit on master. Checked browsers are Firefox (96.0.1) and Chromium (97.0.4692.71 ). Both on Linux Mint 20.4. You video only shows the second part of the problem. The link to open authors normally ends with an authot ID, the only link without ID is for author 1. Does this also happen with other books than the first one?