Cross-site Scripting (XSS) - Stored in janeczku/calibre-web

Valid

Reported on

Dec 20th 2021


Description

Missing input check on Identifiers lead to stored XSS.

Steps to reproduce

  1. 1. Any book -> Edit metadata -> Identifiers
  2. 2. Set any value to the first field and javascript:alert(document.domain) to the second one.
  3. 3. Save the book, select it, click on Identifier -> XSSed!

Proof of Concept

Video PoC

P.s.: this exploit works in Firefox and Safari, not Chrome.

Impact

This vulnerability is capable of stealing cookies, key logging, etc.

Occurrences

Please note that it is possible to use encoding, for instance javascript:alert(1) will work too.

We are processing your report and will contact the janeczku/calibre-web team within 24 hours. 5 months ago
We have contacted a member of the janeczku/calibre-web team and are waiting to hear back 5 months ago
We have sent a follow up to the janeczku/calibre-web team. We will try again in 7 days. 5 months ago
janeczku validated this vulnerability 5 months ago
Scaramouche has been awarded the disclosure bounty
The fix bounty is now up for grabs
Scaramouche
4 months ago

Researcher


Could you please review this report as well? https://huntr.dev/bounties/499688c4-6ac4-4047-a868-7922c3eab369/

janeczku confirmed that a fix has been merged on 7ad419 4 months ago
The fix bounty has been dropped
editbooks.py#L214 has been validated
to join this conversation