Improperly Controlled Modification of Dynamically-Determined Object Attributes in janeczku/calibre-web


Reported on

Nov 16th 2021


A user with no permissions about public shelves can edit his own private shelf making it public. This vulnerability is called Mass Assignment.

Proof of Concept

The file at line 247 sets as public every shelf to be edited, so if the user injects the parameter is_public=on in the POST request, the shelf is saved as public.

if request.method == "POST":
        to_save = request.form.to_dict()
        shelf.is_public = 1 if to_save.get("is_public") else 0 --> This happens after checking permissions of the user over public shelves, so if someone injected that param, the shelf is saved as public then.

Steps to reproduce

#1. Login as a user who has no permissions for create or edit public shelves.

#2. Create a shelf. This is a private one. Image 1

#3. Edit this shelf and Save, intercepting the request POST /shelf/edit/{id_shelf}.

#4. Add a body param as follows: is_public=on and Forward. Image 2

#5. Check that the private shelf turned into a public one. Image 3


There should be checked if the user has permissions for public shelves when the body is received. Also the order of validations and the function check_shelf_edit_permissions should be reviewed to avoid these possibilites.

We are processing your report and will contact the janeczku/calibre-web team within 24 hours. a year ago
We have contacted a member of the janeczku/calibre-web team and are waiting to hear back a year ago
We have sent a follow up to the janeczku/calibre-web team. We will try again in 7 days. a year ago
We have sent a second follow up to the janeczku/calibre-web team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the janeczku/calibre-web team. This report is now considered stale. a year ago
Ozzie Isaacs
a year ago

Sorry. I get confused by all this emails and there is no "dashboard" to track what's open and what not. Meanwhile I don't see any verify button here, so I can't do anything. @admin : Sorry Jamie, could you please mark this report as valid.

janeczku validated this vulnerability a year ago
Ileana Barrionuevo has been awarded the disclosure bounty
The fix bounty is now up for grabs
Ozzie Isaacs
a year ago

@admin I can't mark this issue as fixed This is fixed in the newest version 0.6.15. Commit to fix this was:

janeczku marked this as fixed in 0.6.15 with commit bcdc97 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
a year ago


@admin Okay got it, it works if I'm not logged in and then use the link with the token I get in the email

Jamie Slome
a year ago


Correct 👍

to join this conversation