Cross-site Scripting (XSS) - Stored in janeczku/calibre-web

Valid

Reported on

Dec 20th 2021

Description

Missing input check on Identifiers lead to stored XSS.

Steps to reproduce

  1. 1. Any book -> Edit metadata -> Identifiers
  2. 2. Set any value to the first field and javascript:alert(document.domain) to the second one.
  3. 3. Save the book, select it, click on Identifier -> XSSed!

Proof of Concept

Video PoC

P.s.: this exploit works in Firefox and Safari, not Chrome.

Impact

This vulnerability is capable of stealing cookies, key logging, etc.

Occurrences

Please note that it is possible to use encoding, for instance javascript:alert(1) will work too.

We are processing your report and will contact the janeczku/calibre-web team within 24 hours. a year ago
We have contacted a member of the janeczku/calibre-web team and are waiting to hear back a year ago
We have sent a follow up to the janeczku/calibre-web team. We will try again in 7 days. a year ago
janeczku validated this vulnerability a year ago
Scaramouche has been awarded the disclosure bounty
The fix bounty is now up for grabs
Scaramouche
a year ago

Researcher

Could you please review this report as well? https://huntr.dev/bounties/499688c4-6ac4-4047-a868-7922c3eab369/

janeczku marked this as fixed in 0.6.15 with commit 7ad419 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
editbooks.py#L214 has been validated
to join this conversation