Cross-site Scripting (XSS) - DOM in janeczku/calibre-web

Valid

Reported on

Nov 15th 2021


Description

It is possible to execute XSS payloads when editing book properties, such as uploading a cover or a format.

Proof of Concept

The file edit_books.js contains the following code:

$("#btn-upload-cover").on("change", function () {
    var filename = $(this).val();
    if (filename.substring(3, 11) === "fakepath") {
        filename = filename.substring(12);
    } 
    $("#upload-cover").html(filename); # this is the vulnerable code.
});

XSS PoC (video)

Impact

This allows stoling cookies, for example. But the variety of attacks can increase depending on the payload.

Occurences

Here is the same case, when uploading the format.

When uploading a cover, the DOM interprets directly the input from the user.

We are processing your report and will contact the janeczku/calibre-web team within 24 hours. 13 days ago
Ileana Barrionuevo modified their report
13 days ago
We have contacted a member of the janeczku/calibre-web team and are waiting to hear back 12 days ago
We have sent a follow up to the janeczku/calibre-web team. We will try again in 7 days. 9 days ago
janeczku validated this vulnerability 8 days ago
Ileana Barrionuevo has been awarded the disclosure bounty
The fix bounty is now up for grabs
janeczku confirmed that a fix has been merged on 7ad419 8 days ago
The fix bounty has been dropped
edit_books.js#L251 has been validated
edit_books.js#L259 has been validated