Cross-site Scripting (XSS) - DOM in janeczku/calibre-web


Reported on

Nov 15th 2021


It is possible to execute XSS payloads when editing book properties, such as uploading a cover or a format.

Proof of Concept

The file edit_books.js contains the following code:

$("#btn-upload-cover").on("change", function () {
    var filename = $(this).val();
    if (filename.substring(3, 11) === "fakepath") {
        filename = filename.substring(12);
    $("#upload-cover").html(filename); # this is the vulnerable code.

XSS PoC (video)


This allows stoling cookies, for example. But the variety of attacks can increase depending on the payload.


Here is the same case, when uploading the format.

When uploading a cover, the DOM interprets directly the input from the user.

We are processing your report and will contact the janeczku/calibre-web team within 24 hours. a year ago
Ileana Barrionuevo modified the report
a year ago
We have contacted a member of the janeczku/calibre-web team and are waiting to hear back a year ago
We have sent a follow up to the janeczku/calibre-web team. We will try again in 7 days. a year ago
janeczku validated this vulnerability a year ago
Ileana Barrionuevo has been awarded the disclosure bounty
The fix bounty is now up for grabs
janeczku marked this as fixed with commit 7ad419 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
edit_books.js#L251 has been validated
edit_books.js#L259 has been validated
to join this conversation