Cross-site Scripting (XSS) - DOM in janeczku/calibre-web

Valid

Reported on

Nov 15th 2021

Description

It is possible to execute XSS payloads when editing book properties, such as uploading a cover or a format.

Proof of Concept

The file edit_books.js contains the following code:

$("#btn-upload-cover").on("change", function () {
    var filename = $(this).val();
    if (filename.substring(3, 11) === "fakepath") {
        filename = filename.substring(12);
    } 
    $("#upload-cover").html(filename); # this is the vulnerable code.
});

XSS PoC (video)

Impact

This allows stoling cookies, for example. But the variety of attacks can increase depending on the payload.

Occurrences

edit_books.js L251

Here is the same case, when uploading the format.

edit_books.js L259

When uploading a cover, the DOM interprets directly the input from the user.

We are processing your report and will contact the janeczku/calibre-web team within 24 hours. a year ago

Ileana Barrionuevo modified the report

a year ago

We have contacted a member of the janeczku/calibre-web team and are waiting to hear back a year ago

We have sent a follow up to the janeczku/calibre-web team. We will try again in 7 days. a year ago

janeczku validated this vulnerability a year ago

Ileana Barrionuevo has been awarded the disclosure bounty

The fix bounty is now up for grabs

janeczku marked this as fixed with commit 7ad419 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

edit_books.js#L251 has been validated

edit_books.js#L259 has been validated

to join this conversation