Vulnerabilites related to janeczku - calibre-web
Vulnerability from fkie_nvd
Published
2024-11-15 11:15
Modified
2024-11-19 15:43
Severity ?
Summary
A Cross-site Scripting (XSS) vulnerability exists in janeczku/calibre-web, specifically in the file `edit_books.js`. The vulnerability occurs when editing book properties, such as uploading a cover or a format. The affected code directly inserts user input into the DOM without proper sanitization, allowing attackers to execute arbitrary JavaScript code. This can lead to various attacks, including stealing cookies. The issue is present in the code handling the `#btn-upload-cover` change event.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | calibre-web | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:janeczku:calibre-web:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CB86DF8E-5F67-41CA-B657-D8E0A61CD22A",
"versionEndExcluding": "0.6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site Scripting (XSS) vulnerability exists in janeczku/calibre-web, specifically in the file `edit_books.js`. The vulnerability occurs when editing book properties, such as uploading a cover or a format. The affected code directly inserts user input into the DOM without proper sanitization, allowing attackers to execute arbitrary JavaScript code. This can lead to various attacks, including stealing cookies. The issue is present in the code handling the `#btn-upload-cover` change event."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de Cross-site Scripting (XSS) en janeczku/calibre-web, espec\u00edficamente en el archivo `edit_books.js`. La vulnerabilidad se produce al editar las propiedades de un libro, como cargar una portada o un formato. El c\u00f3digo afectado inserta directamente la entrada del usuario en el DOM sin la limpieza adecuada, lo que permite a los atacantes ejecutar c\u00f3digo JavaScript arbitrario. Esto puede dar lugar a varios ataques, incluido el robo de cookies. El problema est\u00e1 presente en el c\u00f3digo que maneja el evento de cambio `#btn-upload-cover`."
}
],
"id": "CVE-2021-3988",
"lastModified": "2024-11-19T15:43:01.723",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 3.6,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-15T11:15:06.877",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/janeczku/calibre-web/commit/7ad419dc8c12180e842a82118f4866ac3d074bc5"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit"
],
"url": "https://huntr.com/bounties/fa4c8fd1-7846-4dad-9112-2c07461f0609"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-30 14:15
Modified
2024-11-21 06:38
Severity ?
Summary
Improper Access Control in Pypi calibreweb prior to 0.6.16.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/janeczku/calibre-web/commit/0c0313f375bed7b035c8c0482bbb09599e16bfcf | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/8f27686f-d698-4ab6-8ef0-899125792f13 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/janeczku/calibre-web/commit/0c0313f375bed7b035c8c0482bbb09599e16bfcf | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/8f27686f-d698-4ab6-8ef0-899125792f13 | Exploit, Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | calibre-web | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:janeczku:calibre-web:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FB8D7F6F-1609-4EA3-8689-20CC0D5FA4C5",
"versionEndExcluding": "0.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Access Control in Pypi calibreweb prior to 0.6.16."
},
{
"lang": "es",
"value": "Un Control de Acceso Inapropiado en Pypi calibreweb versiones anteriores a 0.6.16"
}
],
"id": "CVE-2022-0273",
"lastModified": "2024-11-21T06:38:16.947",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-30T14:15:07.597",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/0c0313f375bed7b035c8c0482bbb09599e16bfcf"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/8f27686f-d698-4ab6-8ef0-899125792f13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/0c0313f375bed7b035c8c0482bbb09599e16bfcf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/8f27686f-d698-4ab6-8ef0-899125792f13"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security@huntr.dev",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-07 07:15
Modified
2024-11-21 06:39
Severity ?
Summary
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/b26fc127-9b6a-4be7-a455-58aefbb62d9e | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/b26fc127-9b6a-4be7-a455-58aefbb62d9e | Exploit, Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | calibre-web | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:janeczku:calibre-web:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E43AE325-09EA-47E5-878F-360B5C90F01D",
"versionEndExcluding": "0.6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) en el repositorio de GitHub janeczku/calibre-web versiones anteriores a 0.6.17"
}
],
"id": "CVE-2022-0767",
"lastModified": "2024-11-21T06:39:21.273",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.1,
"impactScore": 5.3,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.3,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-07T07:15:07.463",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/b26fc127-9b6a-4be7-a455-58aefbb62d9e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/b26fc127-9b6a-4be7-a455-58aefbb62d9e"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-28 22:15
Modified
2024-11-21 06:38
Severity ?
Summary
Cross-site Scripting (XSS) - Reflected in Pypi calibreweb prior to 0.6.16.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/janeczku/calibre-web/commit/6bf07539788004513c3692c074ebc7ba4ce005e1 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/a577ff17-2ded-4c41-84ae-6ac02440f717 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/janeczku/calibre-web/commit/6bf07539788004513c3692c074ebc7ba4ce005e1 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/a577ff17-2ded-4c41-84ae-6ac02440f717 | Exploit, Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | calibre-web | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:janeczku:calibre-web:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FB8D7F6F-1609-4EA3-8689-20CC0D5FA4C5",
"versionEndExcluding": "0.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Reflected in Pypi calibreweb prior to 0.6.16."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-site Scripting (XSS) - Reflejado en Pypi calibreweb versiones anteriores a 0.6.16"
}
],
"id": "CVE-2022-0352",
"lastModified": "2024-11-21T06:38:26.437",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 6.0,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-28T22:15:15.327",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/6bf07539788004513c3692c074ebc7ba4ce005e1"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/a577ff17-2ded-4c41-84ae-6ac02440f717"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/6bf07539788004513c3692c074ebc7ba4ce005e1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/a577ff17-2ded-4c41-84ae-6ac02440f717"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@huntr.dev",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-03 19:15
Modified
2024-11-21 06:38
Severity ?
Summary
Improper Access Control in GitHub repository janeczku/calibre-web prior to 0.6.16.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/370538f6-5312-4c15-9fc0-b4c36ac236fe | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/370538f6-5312-4c15-9fc0-b4c36ac236fe | Exploit, Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | calibre-web | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:janeczku:calibre-web:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FB8D7F6F-1609-4EA3-8689-20CC0D5FA4C5",
"versionEndExcluding": "0.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Access Control in GitHub repository janeczku/calibre-web prior to 0.6.16."
},
{
"lang": "es",
"value": "Un Control de Acceso Inapropiado en el repositorio de GitHub janeczku/calibre-web versiones anteriores a 0.6.16"
}
],
"id": "CVE-2022-0405",
"lastModified": "2024-11-21T06:38:33.410",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-03T19:15:07.817",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/370538f6-5312-4c15-9fc0-b4c36ac236fe"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/370538f6-5312-4c15-9fc0-b4c36ac236fe"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-04 18:15
Modified
2024-11-21 06:39
Severity ?
Summary
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/31649903-c19c-4dae-aee0-a04b095855c5 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/31649903-c19c-4dae-aee0-a04b095855c5 | Exploit, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | calibre-web | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:janeczku:calibre-web:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6AC00DC5-E71A-41B8-9728-374A14EE4458",
"versionEndExcluding": "0.6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) en el repositorio de GitHub janeczku/calibre-web versiones anteriores a 0.6.18"
}
],
"id": "CVE-2022-0990",
"lastModified": "2024-11-21T06:39:48.617",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 4.7,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-04T18:15:07.817",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/31649903-c19c-4dae-aee0-a04b095855c5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/31649903-c19c-4dae-aee0-a04b095855c5"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-15 11:15
Modified
2024-11-19 15:44
Severity ?
Summary
An improper access control vulnerability exists in janeczku/calibre-web. The affected version allows users without public shelf permissions to create public shelves. The vulnerability is due to the `create_shelf` method in `shelf.py` not verifying if the user has the necessary permissions to create a public shelf. This issue can lead to unauthorized actions being performed by users.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | calibre-web | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:janeczku:calibre-web:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CB86DF8E-5F67-41CA-B657-D8E0A61CD22A",
"versionEndExcluding": "0.6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An improper access control vulnerability exists in janeczku/calibre-web. The affected version allows users without public shelf permissions to create public shelves. The vulnerability is due to the `create_shelf` method in `shelf.py` not verifying if the user has the necessary permissions to create a public shelf. This issue can lead to unauthorized actions being performed by users."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de control de acceso indebido en janeczku/calibre-web. La versi\u00f3n afectada permite a los usuarios sin permisos de estanter\u00eda p\u00fablica crear estanter\u00edas p\u00fablicas. La vulnerabilidad se debe a que el m\u00e9todo `create_shelf` en `shelf.py` no verifica si el usuario tiene los permisos necesarios para crear una estanter\u00eda p\u00fablica. Este problema puede provocar que los usuarios realicen acciones no autorizadas."
}
],
"id": "CVE-2021-3987",
"lastModified": "2024-11-19T15:44:38.113",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-15T11:15:06.610",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/janeczku/calibre-web/commit/bcdc97641447965af486964537f3821f47b28874"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit"
],
"url": "https://huntr.com/bounties/29fcc091-87b6-43bc-ab4b-3c0bec3f71df"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-15 13:15
Modified
2025-02-06 16:15
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | calibre-web | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:janeczku:calibre-web:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4CFCBA02-FCF2-4465-85CC-2A0E784C49D3",
"versionEndExcluding": "0.6.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20."
}
],
"id": "CVE-2022-2525",
"lastModified": "2025-02-06T16:15:30.503",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-04-15T13:15:44.940",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/janeczku/calibre-web/commit/49e4f540c9b204c7e39b3c27ceadecd83ed60e7e"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/9ff87820-c14c-4454-9764-406496254ef0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/janeczku/calibre-web/commit/49e4f540c9b204c7e39b3c27ceadecd83ed60e7e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/9ff87820-c14c-4454-9764-406496254ef0"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-307"
}
],
"source": "security@huntr.dev",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-307"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-30 14:15
Modified
2024-11-21 06:38
Severity ?
Summary
Server-Side Request Forgery (SSRF) in Pypi calibreweb prior to 0.6.16.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/499688c4-6ac4-4047-a868-7922c3eab369 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/499688c4-6ac4-4047-a868-7922c3eab369 | Exploit, Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | calibre-web | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:janeczku:calibre-web:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FB8D7F6F-1609-4EA3-8689-20CC0D5FA4C5",
"versionEndExcluding": "0.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) in Pypi calibreweb prior to 0.6.16."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) en Pypi calibreweb versiones anteriores a 0.6.16"
}
],
"id": "CVE-2022-0339",
"lastModified": "2024-11-21T06:38:24.717",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-30T14:15:07.877",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/499688c4-6ac4-4047-a868-7922c3eab369"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/499688c4-6ac4-4047-a868-7922c3eab369"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security@huntr.dev",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-07 07:15
Modified
2024-11-21 06:39
Severity ?
Summary
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/7f2a5bb4-e6c7-4b6a-b8eb-face9e3add7b | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/7f2a5bb4-e6c7-4b6a-b8eb-face9e3add7b | Exploit, Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | calibre-web | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:janeczku:calibre-web:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E43AE325-09EA-47E5-878F-360B5C90F01D",
"versionEndExcluding": "0.6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) en el repositorio de GitHub janeczku/calibre-web versiones anteriores a 0.6.17"
}
],
"id": "CVE-2022-0766",
"lastModified": "2024-11-21T06:39:21.140",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.2,
"impactScore": 5.2,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-07T07:15:07.257",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/7f2a5bb4-e6c7-4b6a-b8eb-face9e3add7b"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/7f2a5bb4-e6c7-4b6a-b8eb-face9e3add7b"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-05-16 02:15
Modified
2024-11-21 07:03
Severity ?
Summary
Calibre-Web before 0.6.18 allows user table SQL Injection.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/janeczku/calibre-web/blob/master/SECURITY.md | Third Party Advisory | |
| cve@mitre.org | https://github.com/janeczku/calibre-web/releases/tag/0.6.18 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/janeczku/calibre-web/blob/master/SECURITY.md | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/janeczku/calibre-web/releases/tag/0.6.18 | Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | calibre-web | 0.6.18 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:janeczku:calibre-web:0.6.18:*:*:*:*:*:*:*",
"matchCriteriaId": "CFC2D2B1-9DCA-4F48-8385-0EB880737944",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Calibre-Web before 0.6.18 allows user table SQL Injection."
},
{
"lang": "es",
"value": "Calibre-Web versiones anteriores a 0.6.18, permite una inyecci\u00f3n SQL en la tabla de usuario"
}
],
"id": "CVE-2022-30765",
"lastModified": "2024-11-21T07:03:20.033",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-16T02:15:06.827",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/blob/master/SECURITY.md"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/releases/tag/0.6.18"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/blob/master/SECURITY.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/releases/tag/0.6.18"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-03 19:15
Modified
2024-11-21 06:38
Severity ?
Summary
Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/janeczku/calibre-web/commit/e0e04220109920575179a8f924543449c6de0706 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/d7498799-4797-4751-b5e2-b669e729d5db | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/janeczku/calibre-web/commit/e0e04220109920575179a8f924543449c6de0706 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/d7498799-4797-4751-b5e2-b669e729d5db | Exploit, Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | calibre-web | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:janeczku:calibre-web:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FB8D7F6F-1609-4EA3-8689-20CC0D5FA4C5",
"versionEndExcluding": "0.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16."
},
{
"lang": "es",
"value": "Una Autorizaci\u00f3n Inapropiada en el repositorio de GitHub janeczku/calibre-web versiones anteriores a 0.6.16"
}
],
"id": "CVE-2022-0406",
"lastModified": "2024-11-21T06:38:33.543",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-03T19:15:07.880",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/e0e04220109920575179a8f924543449c6de0706"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/d7498799-4797-4751-b5e2-b669e729d5db"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/e0e04220109920575179a8f924543449c6de0706"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/d7498799-4797-4751-b5e2-b669e729d5db"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-15 14:15
Modified
2025-02-06 16:15
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | calibre-web | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:janeczku:calibre-web:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4CFCBA02-FCF2-4465-85CC-2A0E784C49D3",
"versionEndExcluding": "0.6.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20."
}
],
"id": "CVE-2023-2106",
"lastModified": "2025-02-06T16:15:36.850",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-04-15T14:15:07.760",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/janeczku/calibre-web/commit/49e4f540c9b204c7e39b3c27ceadecd83ed60e7e"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/c3d5c647-7557-40a9-aee4-24dc14882781"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/janeczku/calibre-web/commit/49e4f540c9b204c7e39b3c27ceadecd83ed60e7e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/c3d5c647-7557-40a9-aee4-24dc14882781"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-521"
}
],
"source": "security@huntr.dev",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-521"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-17 10:15
Modified
2024-11-21 06:37
Severity ?
Summary
calibre-web is vulnerable to Business Logic Errors
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/janeczku/calibre-web/commit/3e0d8763c377d2146462811e3e4ccf13f0d312ce | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/1117f439-133c-4563-afb2-6cd80607bd5c | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/janeczku/calibre-web/commit/3e0d8763c377d2146462811e3e4ccf13f0d312ce | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/1117f439-133c-4563-afb2-6cd80607bd5c | Exploit, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | calibre-web | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:janeczku:calibre-web:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CB86DF8E-5F67-41CA-B657-D8E0A61CD22A",
"versionEndExcluding": "0.6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "calibre-web is vulnerable to Business Logic Errors"
},
{
"lang": "es",
"value": "calibre-web es vulnerable a Errores de L\u00f3gica Empresarial"
}
],
"id": "CVE-2021-4171",
"lastModified": "2024-11-21T06:37:03.750",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.3,
"impactScore": 5.8,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-17T10:15:07.857",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/3e0d8763c377d2146462811e3e4ccf13f0d312ce"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/1117f439-133c-4563-afb2-6cd80607bd5c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/3e0d8763c377d2146462811e3e4ccf13f0d312ce"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/1117f439-133c-4563-afb2-6cd80607bd5c"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-840"
}
],
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-16 21:15
Modified
2024-11-21 06:37
Severity ?
Summary
calibre-web is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/janeczku/calibre-web/commit/7ad419dc8c12180e842a82118f4866ac3d074bc5 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/ff395101-e392-401d-ab4f-579c63fbf6a0 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/janeczku/calibre-web/commit/7ad419dc8c12180e842a82118f4866ac3d074bc5 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/ff395101-e392-401d-ab4f-579c63fbf6a0 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | calibre-web | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:janeczku:calibre-web:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CB86DF8E-5F67-41CA-B657-D8E0A61CD22A",
"versionEndExcluding": "0.6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "calibre-web is vulnerable to Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
{
"lang": "es",
"value": "calibre-web es vulnerable a una Neutralizaci\u00f3n Inapropiada de Entradas Durante la Generaci\u00f3n de P\u00e1ginas Web (\"Cross-site Scripting\")"
}
],
"id": "CVE-2021-4170",
"lastModified": "2024-11-21T06:37:03.613",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 5.2,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-16T21:15:07.900",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/7ad419dc8c12180e842a82118f4866ac3d074bc5"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/ff395101-e392-401d-ab4f-579c63fbf6a0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/7ad419dc8c12180e842a82118f4866ac3d074bc5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/ff395101-e392-401d-ab4f-579c63fbf6a0"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-19 20:15
Modified
2025-07-09 15:28
Severity ?
Summary
In janeczku Calibre-Web 0.6.0 to 0.6.21, the edit_book_comments function is vulnerable to Cross Site Scripting (XSS) due to improper sanitization performed by the clean_string function. The vulnerability arises from the way the clean_string function handles HTML sanitization.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/pentesttoolscom/vulnerability-research/tree/master/CVE-2024-39123 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pentesttoolscom/vulnerability-research/tree/master/CVE-2024-39123 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | calibre-web | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:janeczku:calibre-web:*:*:*:*:*:*:*:*",
"matchCriteriaId": "94480F88-F928-41E1-8674-92970EDCC8F7",
"versionEndIncluding": "0.6.21",
"versionStartIncluding": "0.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In janeczku Calibre-Web 0.6.0 to 0.6.21, the edit_book_comments function is vulnerable to Cross Site Scripting (XSS) due to improper sanitization performed by the clean_string function. The vulnerability arises from the way the clean_string function handles HTML sanitization."
},
{
"lang": "es",
"value": " En janeczku Calibre-Web 0.6.0 a 0.6.21, la funci\u00f3n edit_book_comments es vulnerable a Cross Site Scripting (XSS) debido a una sanitizaci\u00f3n inadecuada realizada por la funci\u00f3n clean_string. La vulnerabilidad surge de la forma en que la funci\u00f3n clean_string maneja la sanitizaci\u00f3n de HTML."
}
],
"id": "CVE-2024-39123",
"lastModified": "2025-07-09T15:28:45.570",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-07-19T20:15:07.797",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/pentesttoolscom/vulnerability-research/tree/master/CVE-2024-39123"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/pentesttoolscom/vulnerability-research/tree/master/CVE-2024-39123"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-11-16 10:15
Modified
2024-11-21 05:55
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credentials, allowing them to take over the application.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | calibre-web | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:janeczku:calibre-web:*:*:*:*:*:*:*:*",
"matchCriteriaId": "703730EE-5EE8-479D-97A3-E1EC55A75369",
"versionEndIncluding": "0.6.13",
"versionStartIncluding": "0.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credentials, allowing them to take over the application."
},
{
"lang": "es",
"value": "En Calibre-web, versiones 0.6.0 a 0.6.13, son vulnerables a un ataque de tipo Cross-Site Request Forgery (CSRF). Al atraer a un usuario autenticado para que haga clic en un enlace, un atacante puede crear un nuevo rol de usuario con privilegios de administrador y credenciales controladas por el atacante, permiti\u00e9ndole tomar el control de la aplicaci\u00f3n"
}
],
"id": "CVE-2021-25965",
"lastModified": "2024-11-21T05:55:41.447",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "vulnerabilitylab@mend.io",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-16T10:15:06.947",
"references": [
{
"source": "vulnerabilitylab@mend.io",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/50919d47212066c75f03ee7a5332ecf2d584b98e"
},
{
"source": "vulnerabilitylab@mend.io",
"tags": [
"Third Party Advisory"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25965"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/50919d47212066c75f03ee7a5332ecf2d584b98e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25965"
}
],
"sourceIdentifier": "vulnerabilitylab@mend.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "vulnerabilitylab@mend.io",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-04 15:15
Modified
2024-11-21 05:55
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
In “Calibre-web” application, v0.6.0 to v0.6.12, are vulnerable to Stored XSS in “Metadata”. An attacker that has access to edit the metadata information, can inject JavaScript payload in the description field. When a victim tries to open the file, XSS will be triggered.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | calibre-web | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:janeczku:calibre-web:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CC8E66D2-7321-46E4-81CC-097EA0A8794F",
"versionEndExcluding": "0.6.12",
"versionStartIncluding": "0.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In \u201cCalibre-web\u201d application, v0.6.0 to v0.6.12, are vulnerable to Stored XSS in \u201cMetadata\u201d. An attacker that has access to edit the metadata information, can inject JavaScript payload in the description field. When a victim tries to open the file, XSS will be triggered."
},
{
"lang": "es",
"value": "En la aplicaci\u00f3n \"Calibre-web\", versiones v0.6.0 a v0.6.12, son vulnerables a un ataque de tipo XSS almacenado en \"Metadata\". Un atacante que tenga acceso a editar la informaci\u00f3n de los metadatos, puede inyectar una carga \u00fatil de JavaScript en el campo description. Cuando una v\u00edctima intente abrir el archivo, el ataque de tipo XSS ser\u00e1 desencadenado"
}
],
"id": "CVE-2021-25964",
"lastModified": "2024-11-21T05:55:41.320",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "vulnerabilitylab@mend.io",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-04T15:15:07.310",
"references": [
{
"source": "vulnerabilitylab@mend.io",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/32e27712f0f71fdec646add20cd78b4ce75acfce"
},
{
"source": "vulnerabilitylab@mend.io",
"tags": [
"Third Party Advisory"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25964"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/32e27712f0f71fdec646add20cd78b4ce75acfce"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25964"
}
],
"sourceIdentifier": "vulnerabilitylab@mend.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "vulnerabilitylab@mend.io",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-04 10:15
Modified
2024-11-21 06:39
Severity ?
Summary
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/768fd7e2-a767-4d8d-a517-e9dda849c6e4 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/768fd7e2-a767-4d8d-a517-e9dda849c6e4 | Exploit, Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | calibre-web | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:janeczku:calibre-web:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6AC00DC5-E71A-41B8-9728-374A14EE4458",
"versionEndExcluding": "0.6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) en el repositorio de GitHub janeczku/calibre-web versiones anteriores a 0.6.18"
}
],
"id": "CVE-2022-0939",
"lastModified": "2024-11-21T06:39:42.297",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.3,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-04T10:15:08.477",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/768fd7e2-a767-4d8d-a517-e9dda849c6e4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/768fd7e2-a767-4d8d-a517-e9dda849c6e4"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-17 13:15
Modified
2024-11-21 06:37
Severity ?
Summary
calibre-web is vulnerable to Cross-Site Request Forgery (CSRF)
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/janeczku/calibre-web/commit/785726deee13b4d56f6c3503dd57c1e3eb7d6f30 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/2debace1-a0f3-45c1-95fa-9d0512680758 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/janeczku/calibre-web/commit/785726deee13b4d56f6c3503dd57c1e3eb7d6f30 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/2debace1-a0f3-45c1-95fa-9d0512680758 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | calibre-web | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:janeczku:calibre-web:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CB86DF8E-5F67-41CA-B657-D8E0A61CD22A",
"versionEndExcluding": "0.6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "calibre-web is vulnerable to Cross-Site Request Forgery (CSRF)"
},
{
"lang": "es",
"value": "calibre-web es vulnerable a un ataque de tipo Cross-Site Request Forgery (CSRF)"
}
],
"id": "CVE-2021-4164",
"lastModified": "2024-11-21T06:37:02.890",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 4.7,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-17T13:15:08.193",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/785726deee13b4d56f6c3503dd57c1e3eb7d6f30"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/2debace1-a0f3-45c1-95fa-9d0512680758"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/commit/785726deee13b4d56f6c3503dd57c1e3eb7d6f30"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/2debace1-a0f3-45c1-95fa-9d0512680758"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-15 11:15
Modified
2024-11-19 17:12
Severity ?
Summary
A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. This issue occurs in the file shelf.py at line 221, where the name of the shelf is exposed in an error message when a user attempts to remove a book from a shelf they do not own. This vulnerability discloses private information and affects all versions prior to the fix.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/janeczku/calibre-web/commit/6f5390ead5df9779ac81fadefffb476e03f93548 | Patch | |
| security@huntr.dev | https://huntr.com/bounties/394af194-61a7-4e33-b373-877d4c766fca | Exploit, Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | calibre-web | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:janeczku:calibre-web:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CB86DF8E-5F67-41CA-B657-D8E0A61CD22A",
"versionEndExcluding": "0.6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. This issue occurs in the file shelf.py at line 221, where the name of the shelf is exposed in an error message when a user attempts to remove a book from a shelf they do not own. This vulnerability discloses private information and affects all versions prior to the fix."
},
{
"lang": "es",
"value": "Una vulnerabilidad en janeczku/calibre-web permite a usuarios no autorizados ver los nombres de los estantes privados que pertenecen a otros usuarios. Este problema se produce en el archivo shelf.py en la l\u00ednea 221, donde el nombre del estante se expone en un mensaje de error cuando un usuario intenta eliminar un libro de un estante que no es de su propiedad. Esta vulnerabilidad revela informaci\u00f3n privada y afecta a todas las versiones anteriores a la correcci\u00f3n."
}
],
"id": "CVE-2021-3986",
"lastModified": "2024-11-19T17:12:50.000",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-15T11:15:06.400",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/janeczku/calibre-web/commit/6f5390ead5df9779ac81fadefffb476e03f93548"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.com/bounties/394af194-61a7-4e33-b373-877d4c766fca"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-209"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-05-04 03:15
Modified
2024-11-21 04:59
Severity ?
Summary
Calibre-Web 0.6.6 allows authentication bypass because of the 'A0Zr98j/3yX R~XHH!jmN]LWX/,?RT' hardcoded secret key.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/janeczku/calibre-web/pull/1337 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/janeczku/calibre-web/pull/1337 | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | calibre-web | 0.6.6 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:janeczku:calibre-web:0.6.6:*:*:*:*:*:*:*",
"matchCriteriaId": "6B2AE5A3-A014-46A6-9582-F1A294C6B7A6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Calibre-Web 0.6.6 allows authentication bypass because of the \u0027A0Zr98j/3yX R~XHH!jmN]LWX/,?RT\u0027 hardcoded secret key."
},
{
"lang": "es",
"value": "Calibre-Web versi\u00f3n 0.6.6, permite una omisi\u00f3n de autenticaci\u00f3n debido a la clave secreta embebida \"A0Zr98j/3yX R~XHH!jmN]LWX/,?RT\"."
}
],
"id": "CVE-2020-12627",
"lastModified": "2024-11-21T04:59:56.873",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-04T03:15:10.917",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/pull/1337"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/janeczku/calibre-web/pull/1337"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-798"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2020-12627 (GCVE-0-2020-12627)
Vulnerability from cvelistv5
Published
2020-05-04 02:16
Modified
2024-08-04 12:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Calibre-Web 0.6.6 allows authentication bypass because of the 'A0Zr98j/3yX R~XHH!jmN]LWX/,?RT' hardcoded secret key.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/janeczku/calibre-web/pull/1337 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:21.756Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/pull/1337"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Calibre-Web 0.6.6 allows authentication bypass because of the \u0027A0Zr98j/3yX R~XHH!jmN]LWX/,?RT\u0027 hardcoded secret key."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-04T02:16:06",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/pull/1337"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12627",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Calibre-Web 0.6.6 allows authentication bypass because of the \u0027A0Zr98j/3yX R~XHH!jmN]LWX/,?RT\u0027 hardcoded secret key."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/janeczku/calibre-web/pull/1337",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/pull/1337"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12627",
"datePublished": "2020-05-04T02:16:06",
"dateReserved": "2020-05-04T00:00:00",
"dateUpdated": "2024-08-04T12:04:21.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0405 (GCVE-0-2022-0405)
Vulnerability from cvelistv5
Published
2022-04-03 18:30
Modified
2024-08-02 23:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
Improper Access Control in GitHub repository janeczku/calibre-web prior to 0.6.16.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92 | x_refsource_MISC | |
| https://huntr.dev/bounties/370538f6-5312-4c15-9fc0-b4c36ac236fe | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| janeczku | janeczku/calibre-web |
Version: unspecified < 0.6.16 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:25:40.394Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/370538f6-5312-4c15-9fc0-b4c36ac236fe"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Access Control in GitHub repository janeczku/calibre-web prior to 0.6.16."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-03T18:30:15",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/370538f6-5312-4c15-9fc0-b4c36ac236fe"
}
],
"source": {
"advisory": "370538f6-5312-4c15-9fc0-b4c36ac236fe",
"discovery": "EXTERNAL"
},
"title": "Improper Access Control in janeczku/calibre-web",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0405",
"STATE": "PUBLIC",
"TITLE": "Improper Access Control in janeczku/calibre-web"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "janeczku/calibre-web",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.6.16"
}
]
}
}
]
},
"vendor_name": "janeczku"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Access Control in GitHub repository janeczku/calibre-web prior to 0.6.16."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92"
},
{
"name": "https://huntr.dev/bounties/370538f6-5312-4c15-9fc0-b4c36ac236fe",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/370538f6-5312-4c15-9fc0-b4c36ac236fe"
}
]
},
"source": {
"advisory": "370538f6-5312-4c15-9fc0-b4c36ac236fe",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0405",
"datePublished": "2022-04-03T18:30:15",
"dateReserved": "2022-01-28T00:00:00",
"dateUpdated": "2024-08-02T23:25:40.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2106 (GCVE-0-2023-2106)
Vulnerability from cvelistv5
Published
2023-04-15 00:00
Modified
2025-02-06 15:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-521 - Weak Password Requirements
Summary
Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| janeczku | janeczku/calibre-web |
Version: unspecified < 0.6.20 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:12:20.258Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/49e4f540c9b204c7e39b3c27ceadecd83ed60e7e"
},
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/c3d5c647-7557-40a9-aee4-24dc14882781"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-2106",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-06T15:32:47.898937Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-521",
"description": "CWE-521 Weak Password Requirements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-06T15:33:47.636Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.20",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-521",
"description": "CWE-521 Weak Password Requirements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-15T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://github.com/janeczku/calibre-web/commit/49e4f540c9b204c7e39b3c27ceadecd83ed60e7e"
},
{
"url": "https://huntr.dev/bounties/c3d5c647-7557-40a9-aee4-24dc14882781"
}
],
"source": {
"advisory": "c3d5c647-7557-40a9-aee4-24dc14882781",
"discovery": "EXTERNAL"
},
"title": "Weak Password Requirements in janeczku/calibre-web"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-2106",
"datePublished": "2023-04-15T00:00:00.000Z",
"dateReserved": "2023-04-15T00:00:00.000Z",
"dateUpdated": "2025-02-06T15:33:47.636Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0273 (GCVE-0-2022-0273)
Vulnerability from cvelistv5
Published
2022-01-30 13:21
Modified
2024-08-02 23:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
Improper Access Control in Pypi calibreweb prior to 0.6.16.
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/8f27686f-d698-4ab6-8ef0-899125792f13 | x_refsource_CONFIRM | |
| https://github.com/janeczku/calibre-web/commit/0c0313f375bed7b035c8c0482bbb09599e16bfcf | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| janeczku | janeczku/calibre-web |
Version: unspecified < 0.6.16 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:25:40.376Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/8f27686f-d698-4ab6-8ef0-899125792f13"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/0c0313f375bed7b035c8c0482bbb09599e16bfcf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Access Control in Pypi calibreweb prior to 0.6.16."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-30T13:21:51",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/8f27686f-d698-4ab6-8ef0-899125792f13"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/0c0313f375bed7b035c8c0482bbb09599e16bfcf"
}
],
"source": {
"advisory": "8f27686f-d698-4ab6-8ef0-899125792f13",
"discovery": "EXTERNAL"
},
"title": "Improper Access Control in janeczku/calibre-web",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0273",
"STATE": "PUBLIC",
"TITLE": "Improper Access Control in janeczku/calibre-web"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "janeczku/calibre-web",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.6.16"
}
]
}
}
]
},
"vendor_name": "janeczku"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Access Control in Pypi calibreweb prior to 0.6.16."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/8f27686f-d698-4ab6-8ef0-899125792f13",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/8f27686f-d698-4ab6-8ef0-899125792f13"
},
{
"name": "https://github.com/janeczku/calibre-web/commit/0c0313f375bed7b035c8c0482bbb09599e16bfcf",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/0c0313f375bed7b035c8c0482bbb09599e16bfcf"
}
]
},
"source": {
"advisory": "8f27686f-d698-4ab6-8ef0-899125792f13",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0273",
"datePublished": "2022-01-30T13:21:51",
"dateReserved": "2022-01-18T00:00:00",
"dateUpdated": "2024-08-02T23:25:40.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39123 (GCVE-0-2024-39123)
Vulnerability from cvelistv5
Published
2024-07-19 00:00
Modified
2024-08-02 04:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In janeczku Calibre-Web 0.6.0 to 0.6.21, the edit_book_comments function is vulnerable to Cross Site Scripting (XSS) due to improper sanitization performed by the clean_string function. The vulnerability arises from the way the clean_string function handles HTML sanitization.
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:janeczku:calibre-web:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThanOrEqual": "0.6.21",
"status": "affected",
"version": "0.6.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-39123",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-23T15:47:04.835629Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T15:50:22.774Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:19:20.524Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/pentesttoolscom/vulnerability-research/tree/master/CVE-2024-39123"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In janeczku Calibre-Web 0.6.0 to 0.6.21, the edit_book_comments function is vulnerable to Cross Site Scripting (XSS) due to improper sanitization performed by the clean_string function. The vulnerability arises from the way the clean_string function handles HTML sanitization."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T19:44:28.146610",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/pentesttoolscom/vulnerability-research/tree/master/CVE-2024-39123"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-39123",
"datePublished": "2024-07-19T00:00:00",
"dateReserved": "2024-06-21T00:00:00",
"dateUpdated": "2024-08-02T04:19:20.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-4170 (GCVE-0-2021-4170)
Vulnerability from cvelistv5
Published
2022-01-16 20:55
Modified
2024-08-03 17:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
calibre-web is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/ff395101-e392-401d-ab4f-579c63fbf6a0 | x_refsource_CONFIRM | |
| https://github.com/janeczku/calibre-web/commit/7ad419dc8c12180e842a82118f4866ac3d074bc5 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| janeczku | janeczku/calibre-web |
Version: unspecified < 0.6.15 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:16:04.234Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/ff395101-e392-401d-ab4f-579c63fbf6a0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/7ad419dc8c12180e842a82118f4866ac3d074bc5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.15",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "calibre-web is vulnerable to Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-16T20:55:09",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/ff395101-e392-401d-ab4f-579c63fbf6a0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/7ad419dc8c12180e842a82118f4866ac3d074bc5"
}
],
"source": {
"advisory": "ff395101-e392-401d-ab4f-579c63fbf6a0",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in janeczku/calibre-web",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-4170",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Stored in janeczku/calibre-web"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "janeczku/calibre-web",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.6.15"
}
]
}
}
]
},
"vendor_name": "janeczku"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "calibre-web is vulnerable to Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/ff395101-e392-401d-ab4f-579c63fbf6a0",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/ff395101-e392-401d-ab4f-579c63fbf6a0"
},
{
"name": "https://github.com/janeczku/calibre-web/commit/7ad419dc8c12180e842a82118f4866ac3d074bc5",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/7ad419dc8c12180e842a82118f4866ac3d074bc5"
}
]
},
"source": {
"advisory": "ff395101-e392-401d-ab4f-579c63fbf6a0",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-4170",
"datePublished": "2022-01-16T20:55:10",
"dateReserved": "2021-12-25T00:00:00",
"dateUpdated": "2024-08-03T17:16:04.234Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0766 (GCVE-0-2022-0766)
Vulnerability from cvelistv5
Published
2022-03-07 07:05
Modified
2024-08-02 23:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8 | x_refsource_MISC | |
| https://huntr.dev/bounties/7f2a5bb4-e6c7-4b6a-b8eb-face9e3add7b | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| janeczku | janeczku/calibre-web |
Version: unspecified < 0.6.17 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:03.799Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/7f2a5bb4-e6c7-4b6a-b8eb-face9e3add7b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.17",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-07T07:05:19",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/7f2a5bb4-e6c7-4b6a-b8eb-face9e3add7b"
}
],
"source": {
"advisory": "7f2a5bb4-e6c7-4b6a-b8eb-face9e3add7b",
"discovery": "EXTERNAL"
},
"title": "Server-Side Request Forgery (SSRF) in janeczku/calibre-web",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0766",
"STATE": "PUBLIC",
"TITLE": "Server-Side Request Forgery (SSRF) in janeczku/calibre-web"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "janeczku/calibre-web",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.6.17"
}
]
}
}
]
},
"vendor_name": "janeczku"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8"
},
{
"name": "https://huntr.dev/bounties/7f2a5bb4-e6c7-4b6a-b8eb-face9e3add7b",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/7f2a5bb4-e6c7-4b6a-b8eb-face9e3add7b"
}
]
},
"source": {
"advisory": "7f2a5bb4-e6c7-4b6a-b8eb-face9e3add7b",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0766",
"datePublished": "2022-03-07T07:05:19",
"dateReserved": "2022-02-26T00:00:00",
"dateUpdated": "2024-08-02T23:40:03.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-30765 (GCVE-0-2022-30765)
Vulnerability from cvelistv5
Published
2022-05-16 01:50
Modified
2024-08-03 06:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Calibre-Web before 0.6.18 allows user table SQL Injection.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/janeczku/calibre-web/blob/master/SECURITY.md | x_refsource_MISC | |
| https://github.com/janeczku/calibre-web/releases/tag/0.6.18 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:56:14.094Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/blob/master/SECURITY.md"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/releases/tag/0.6.18"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Calibre-Web before 0.6.18 allows user table SQL Injection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-16T01:50:53",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/blob/master/SECURITY.md"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/releases/tag/0.6.18"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-30765",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Calibre-Web before 0.6.18 allows user table SQL Injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/janeczku/calibre-web/blob/master/SECURITY.md",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/blob/master/SECURITY.md"
},
{
"name": "https://github.com/janeczku/calibre-web/releases/tag/0.6.18",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/releases/tag/0.6.18"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-30765",
"datePublished": "2022-05-16T01:50:53",
"dateReserved": "2022-05-16T00:00:00",
"dateUpdated": "2024-08-03T06:56:14.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3987 (GCVE-0-2021-3987)
Vulnerability from cvelistv5
Published
2024-11-15 10:52
Modified
2024-11-15 18:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
An improper access control vulnerability exists in janeczku/calibre-web. The affected version allows users without public shelf permissions to create public shelves. The vulnerability is due to the `create_shelf` method in `shelf.py` not verifying if the user has the necessary permissions to create a public shelf. This issue can lead to unauthorized actions being performed by users.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| janeczku | janeczku/calibre-web |
Version: unspecified < |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:calibre-web_project:calibre-web:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "calibre-web",
"vendor": "calibre-web_project",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-3987",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-15T18:27:02.281125Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T18:28:12.925Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThanOrEqual": "latest",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An improper access control vulnerability exists in janeczku/calibre-web. The affected version allows users without public shelf permissions to create public shelves. The vulnerability is due to the `create_shelf` method in `shelf.py` not verifying if the user has the necessary permissions to create a public shelf. This issue can lead to unauthorized actions being performed by users."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T10:57:09.048Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/29fcc091-87b6-43bc-ab4b-3c0bec3f71df"
},
{
"url": "https://github.com/janeczku/calibre-web/commit/bcdc97641447965af486964537f3821f47b28874"
}
],
"source": {
"advisory": "29fcc091-87b6-43bc-ab4b-3c0bec3f71df",
"discovery": "EXTERNAL"
},
"title": "Improper Access Control in janeczku/calibre-web"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2021-3987",
"datePublished": "2024-11-15T10:52:29.478Z",
"dateReserved": "2021-11-20T12:01:47.041Z",
"dateUpdated": "2024-11-15T18:28:12.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-25964 (GCVE-0-2021-25964)
Vulnerability from cvelistv5
Published
2021-10-04 14:55
Modified
2025-04-30 16:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
In “Calibre-web” application, v0.6.0 to v0.6.12, are vulnerable to Stored XSS in “Metadata”. An attacker that has access to edit the metadata information, can inject JavaScript payload in the description field. When a victim tries to open the file, XSS will be triggered.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25964 | x_refsource_MISC | |
| https://github.com/janeczku/calibre-web/commit/32e27712f0f71fdec646add20cd78b4ce75acfce | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OzzieIsaacs | calibreweb |
Version: 0.6.0 < unspecified Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:18.956Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25964"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/32e27712f0f71fdec646add20cd78b4ce75acfce"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-25964",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-30T16:10:31.385133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T16:24:59.772Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "calibreweb",
"vendor": "OzzieIsaacs",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.6.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "0.6.12",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-10-02T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In \u201cCalibre-web\u201d application, v0.6.0 to v0.6.12, are vulnerable to Stored XSS in \u201cMetadata\u201d. An attacker that has access to edit the metadata information, can inject JavaScript payload in the description field. When a victim tries to open the file, XSS will be triggered."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-04T14:55:10.000Z",
"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"shortName": "Mend"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25964"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/32e27712f0f71fdec646add20cd78b4ce75acfce"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 0.6.13"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
},
"title": "Stored Cross-Site Scripting (XSS) in Calibre-web via Description Field in Metadata",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"DATE_PUBLIC": "2021-10-02T14:38:00.000Z",
"ID": "CVE-2021-25964",
"STATE": "PUBLIC",
"TITLE": "Stored Cross-Site Scripting (XSS) in Calibre-web via Description Field in Metadata"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "calibreweb",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "0.6.0"
},
{
"version_affected": "\u003c=",
"version_value": "0.6.12"
}
]
}
}
]
},
"vendor_name": "OzzieIsaacs"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In \u201cCalibre-web\u201d application, v0.6.0 to v0.6.12, are vulnerable to Stored XSS in \u201cMetadata\u201d. An attacker that has access to edit the metadata information, can inject JavaScript payload in the description field. When a victim tries to open the file, XSS will be triggered."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25964",
"refsource": "MISC",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25964"
},
{
"name": "https://github.com/janeczku/calibre-web/commit/32e27712f0f71fdec646add20cd78b4ce75acfce",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/32e27712f0f71fdec646add20cd78b4ce75acfce"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 0.6.13"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"assignerShortName": "Mend",
"cveId": "CVE-2021-25964",
"datePublished": "2021-10-04T14:55:10.213Z",
"dateReserved": "2021-01-22T00:00:00.000Z",
"dateUpdated": "2025-04-30T16:24:59.772Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-25965 (GCVE-0-2021-25965)
Vulnerability from cvelistv5
Published
2021-11-16 09:15
Modified
2025-04-30 15:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credentials, allowing them to take over the application.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/janeczku/calibre-web/commit/50919d47212066c75f03ee7a5332ecf2d584b98e | x_refsource_MISC | |
| https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25965 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| calibreweb | calibreweb |
Version: 0.6.0 < unspecified Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:18.947Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/50919d47212066c75f03ee7a5332ecf2d584b98e"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25965"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-25965",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-30T15:29:26.148130Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T15:46:00.249Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "calibreweb",
"vendor": "calibreweb",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.6.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "0.6.13",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "WhiteSource Vulnerability Research Team (WVR)"
}
],
"descriptions": [
{
"lang": "en",
"value": "In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credentials, allowing them to take over the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-16T09:15:11.000Z",
"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"shortName": "Mend"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/50919d47212066c75f03ee7a5332ecf2d584b98e"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25965"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 0.6.14"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
},
"title": "Calibre-web - Admin Account Takeover via Cross-Site Request Forgery (CSRF)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"ID": "CVE-2021-25965",
"STATE": "PUBLIC",
"TITLE": "Calibre-web - Admin Account Takeover via Cross-Site Request Forgery (CSRF)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "calibreweb",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "0.6.0"
},
{
"version_affected": "\u003c=",
"version_value": "0.6.13"
}
]
}
}
]
},
"vendor_name": "calibreweb"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "WhiteSource Vulnerability Research Team (WVR)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credentials, allowing them to take over the application."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/janeczku/calibre-web/commit/50919d47212066c75f03ee7a5332ecf2d584b98e",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/50919d47212066c75f03ee7a5332ecf2d584b98e"
},
{
"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25965",
"refsource": "MISC",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25965"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 0.6.14"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"assignerShortName": "Mend",
"cveId": "CVE-2021-25965",
"datePublished": "2021-11-16T09:15:11.000Z",
"dateReserved": "2021-01-22T00:00:00.000Z",
"dateUpdated": "2025-04-30T15:46:00.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0939 (GCVE-0-2022-0939)
Vulnerability from cvelistv5
Published
2022-04-04 09:40
Modified
2024-08-02 23:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/768fd7e2-a767-4d8d-a517-e9dda849c6e4 | x_refsource_CONFIRM | |
| https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| janeczku | janeczku/calibre-web |
Version: unspecified < 0.6.18 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:47:43.285Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/768fd7e2-a767-4d8d-a517-e9dda849c6e4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.18",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-04T09:40:10",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/768fd7e2-a767-4d8d-a517-e9dda849c6e4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367"
}
],
"source": {
"advisory": "768fd7e2-a767-4d8d-a517-e9dda849c6e4",
"discovery": "EXTERNAL"
},
"title": "Server-Side Request Forgery (SSRF) in janeczku/calibre-web",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0939",
"STATE": "PUBLIC",
"TITLE": "Server-Side Request Forgery (SSRF) in janeczku/calibre-web"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "janeczku/calibre-web",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.6.18"
}
]
}
}
]
},
"vendor_name": "janeczku"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/768fd7e2-a767-4d8d-a517-e9dda849c6e4",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/768fd7e2-a767-4d8d-a517-e9dda849c6e4"
},
{
"name": "https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367"
}
]
},
"source": {
"advisory": "768fd7e2-a767-4d8d-a517-e9dda849c6e4",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0939",
"datePublished": "2022-04-04T09:40:10",
"dateReserved": "2022-03-13T00:00:00",
"dateUpdated": "2024-08-02T23:47:43.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-4171 (GCVE-0-2021-4171)
Vulnerability from cvelistv5
Published
2022-01-17 09:45
Modified
2024-08-03 17:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-840 - Business Logic Errors
Summary
calibre-web is vulnerable to Business Logic Errors
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/1117f439-133c-4563-afb2-6cd80607bd5c | x_refsource_CONFIRM | |
| https://github.com/janeczku/calibre-web/commit/3e0d8763c377d2146462811e3e4ccf13f0d312ce | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| janeczku | janeczku/calibre-web |
Version: unspecified < 0.6.15 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:16:04.253Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/1117f439-133c-4563-afb2-6cd80607bd5c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/3e0d8763c377d2146462811e3e4ccf13f0d312ce"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.15",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "calibre-web is vulnerable to Business Logic Errors"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-840",
"description": "CWE-840 Business Logic Errors",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-17T09:45:10",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/1117f439-133c-4563-afb2-6cd80607bd5c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/3e0d8763c377d2146462811e3e4ccf13f0d312ce"
}
],
"source": {
"advisory": "1117f439-133c-4563-afb2-6cd80607bd5c",
"discovery": "EXTERNAL"
},
"title": "Business Logic Errors in janeczku/calibre-web",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-4171",
"STATE": "PUBLIC",
"TITLE": "Business Logic Errors in janeczku/calibre-web"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "janeczku/calibre-web",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.6.15"
}
]
}
}
]
},
"vendor_name": "janeczku"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "calibre-web is vulnerable to Business Logic Errors"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-840 Business Logic Errors"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/1117f439-133c-4563-afb2-6cd80607bd5c",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/1117f439-133c-4563-afb2-6cd80607bd5c"
},
{
"name": "https://github.com/janeczku/calibre-web/commit/3e0d8763c377d2146462811e3e4ccf13f0d312ce",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/3e0d8763c377d2146462811e3e4ccf13f0d312ce"
}
]
},
"source": {
"advisory": "1117f439-133c-4563-afb2-6cd80607bd5c",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-4171",
"datePublished": "2022-01-17T09:45:10",
"dateReserved": "2021-12-26T00:00:00",
"dateUpdated": "2024-08-03T17:16:04.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0767 (GCVE-0-2022-0767)
Vulnerability from cvelistv5
Published
2022-03-07 07:05
Modified
2024-08-02 23:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/b26fc127-9b6a-4be7-a455-58aefbb62d9e | x_refsource_CONFIRM | |
| https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| janeczku | janeczku/calibre-web |
Version: unspecified < 0.6.17 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:03.721Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/b26fc127-9b6a-4be7-a455-58aefbb62d9e"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.17",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-07T07:05:11",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/b26fc127-9b6a-4be7-a455-58aefbb62d9e"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8"
}
],
"source": {
"advisory": "b26fc127-9b6a-4be7-a455-58aefbb62d9e",
"discovery": "EXTERNAL"
},
"title": "Server-Side Request Forgery (SSRF) in janeczku/calibre-web",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0767",
"STATE": "PUBLIC",
"TITLE": "Server-Side Request Forgery (SSRF) in janeczku/calibre-web"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "janeczku/calibre-web",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.6.17"
}
]
}
}
]
},
"vendor_name": "janeczku"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/b26fc127-9b6a-4be7-a455-58aefbb62d9e",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/b26fc127-9b6a-4be7-a455-58aefbb62d9e"
},
{
"name": "https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8"
}
]
},
"source": {
"advisory": "b26fc127-9b6a-4be7-a455-58aefbb62d9e",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0767",
"datePublished": "2022-03-07T07:05:11",
"dateReserved": "2022-02-26T00:00:00",
"dateUpdated": "2024-08-02T23:40:03.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0352 (GCVE-0-2022-0352)
Vulnerability from cvelistv5
Published
2022-01-28 21:29
Modified
2024-08-02 23:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Cross-site Scripting (XSS) - Reflected in Pypi calibreweb prior to 0.6.16.
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/a577ff17-2ded-4c41-84ae-6ac02440f717 | x_refsource_CONFIRM | |
| https://github.com/janeczku/calibre-web/commit/6bf07539788004513c3692c074ebc7ba4ce005e1 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| janeczku | janeczku/calibre-web |
Version: unspecified < 0.6.16 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:25:40.508Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/a577ff17-2ded-4c41-84ae-6ac02440f717"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/6bf07539788004513c3692c074ebc7ba4ce005e1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Reflected in Pypi calibreweb prior to 0.6.16."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-28T21:29:15",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/a577ff17-2ded-4c41-84ae-6ac02440f717"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/6bf07539788004513c3692c074ebc7ba4ce005e1"
}
],
"source": {
"advisory": "a577ff17-2ded-4c41-84ae-6ac02440f717",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Reflected in janeczku/calibre-web",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0352",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Reflected in janeczku/calibre-web"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "janeczku/calibre-web",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.6.16"
}
]
}
}
]
},
"vendor_name": "janeczku"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Reflected in Pypi calibreweb prior to 0.6.16."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/a577ff17-2ded-4c41-84ae-6ac02440f717",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/a577ff17-2ded-4c41-84ae-6ac02440f717"
},
{
"name": "https://github.com/janeczku/calibre-web/commit/6bf07539788004513c3692c074ebc7ba4ce005e1",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/6bf07539788004513c3692c074ebc7ba4ce005e1"
}
]
},
"source": {
"advisory": "a577ff17-2ded-4c41-84ae-6ac02440f717",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0352",
"datePublished": "2022-01-28T21:29:15",
"dateReserved": "2022-01-24T00:00:00",
"dateUpdated": "2024-08-02T23:25:40.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-4164 (GCVE-0-2021-4164)
Vulnerability from cvelistv5
Published
2022-01-17 12:35
Modified
2024-08-03 17:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
calibre-web is vulnerable to Cross-Site Request Forgery (CSRF)
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/2debace1-a0f3-45c1-95fa-9d0512680758 | x_refsource_CONFIRM | |
| https://github.com/janeczku/calibre-web/commit/785726deee13b4d56f6c3503dd57c1e3eb7d6f30 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| janeczku | janeczku/calibre-web |
Version: unspecified < 0.6.15 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:16:04.257Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/2debace1-a0f3-45c1-95fa-9d0512680758"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/785726deee13b4d56f6c3503dd57c1e3eb7d6f30"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.15",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "calibre-web is vulnerable to Cross-Site Request Forgery (CSRF)"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-17T12:35:10",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/2debace1-a0f3-45c1-95fa-9d0512680758"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/785726deee13b4d56f6c3503dd57c1e3eb7d6f30"
}
],
"source": {
"advisory": "2debace1-a0f3-45c1-95fa-9d0512680758",
"discovery": "EXTERNAL"
},
"title": "Cross-Site Request Forgery (CSRF) in janeczku/calibre-web",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-4164",
"STATE": "PUBLIC",
"TITLE": "Cross-Site Request Forgery (CSRF) in janeczku/calibre-web"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "janeczku/calibre-web",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.6.15"
}
]
}
}
]
},
"vendor_name": "janeczku"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "calibre-web is vulnerable to Cross-Site Request Forgery (CSRF)"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/2debace1-a0f3-45c1-95fa-9d0512680758",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/2debace1-a0f3-45c1-95fa-9d0512680758"
},
{
"name": "https://github.com/janeczku/calibre-web/commit/785726deee13b4d56f6c3503dd57c1e3eb7d6f30",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/785726deee13b4d56f6c3503dd57c1e3eb7d6f30"
}
]
},
"source": {
"advisory": "2debace1-a0f3-45c1-95fa-9d0512680758",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-4164",
"datePublished": "2022-01-17T12:35:10",
"dateReserved": "2021-12-24T00:00:00",
"dateUpdated": "2024-08-03T17:16:04.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0406 (GCVE-0-2022-0406)
Vulnerability from cvelistv5
Published
2022-04-03 19:05
Modified
2024-08-02 23:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16.
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/d7498799-4797-4751-b5e2-b669e729d5db | x_refsource_CONFIRM | |
| https://github.com/janeczku/calibre-web/commit/e0e04220109920575179a8f924543449c6de0706 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| janeczku | janeczku/calibre-web |
Version: unspecified < 0.6.16 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:25:40.441Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/d7498799-4797-4751-b5e2-b669e729d5db"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/e0e04220109920575179a8f924543449c6de0706"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-03T19:05:10",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/d7498799-4797-4751-b5e2-b669e729d5db"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/e0e04220109920575179a8f924543449c6de0706"
}
],
"source": {
"advisory": "d7498799-4797-4751-b5e2-b669e729d5db",
"discovery": "EXTERNAL"
},
"title": "Improper Authorization in janeczku/calibre-web",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0406",
"STATE": "PUBLIC",
"TITLE": "Improper Authorization in janeczku/calibre-web"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "janeczku/calibre-web",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.6.16"
}
]
}
}
]
},
"vendor_name": "janeczku"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285 Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/d7498799-4797-4751-b5e2-b669e729d5db",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/d7498799-4797-4751-b5e2-b669e729d5db"
},
{
"name": "https://github.com/janeczku/calibre-web/commit/e0e04220109920575179a8f924543449c6de0706",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/e0e04220109920575179a8f924543449c6de0706"
}
]
},
"source": {
"advisory": "d7498799-4797-4751-b5e2-b669e729d5db",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0406",
"datePublished": "2022-04-03T19:05:10",
"dateReserved": "2022-01-28T00:00:00",
"dateUpdated": "2024-08-02T23:25:40.441Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3986 (GCVE-0-2021-3986)
Vulnerability from cvelistv5
Published
2024-11-15 10:52
Modified
2024-11-15 18:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Summary
A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. This issue occurs in the file shelf.py at line 221, where the name of the shelf is exposed in an error message when a user attempts to remove a book from a shelf they do not own. This vulnerability discloses private information and affects all versions prior to the fix.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| janeczku | janeczku/calibre-web |
Version: unspecified < |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:calibre-web_project:calibre-web:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "calibre-web",
"vendor": "calibre-web_project",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-3986",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-15T18:30:20.257151Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T18:31:36.752Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThanOrEqual": "latest",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. This issue occurs in the file shelf.py at line 221, where the name of the shelf is exposed in an error message when a user attempts to remove a book from a shelf they do not own. This vulnerability discloses private information and affects all versions prior to the fix."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T10:57:16.135Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/394af194-61a7-4e33-b373-877d4c766fca"
},
{
"url": "https://github.com/janeczku/calibre-web/commit/6f5390ead5df9779ac81fadefffb476e03f93548"
}
],
"source": {
"advisory": "394af194-61a7-4e33-b373-877d4c766fca",
"discovery": "EXTERNAL"
},
"title": "Information Disclosure in janeczku/calibre-web"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2021-3986",
"datePublished": "2024-11-15T10:52:21.551Z",
"dateReserved": "2021-11-20T11:08:36.338Z",
"dateUpdated": "2024-11-15T18:31:36.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0990 (GCVE-0-2022-0990)
Vulnerability from cvelistv5
Published
2022-04-04 17:50
Modified
2024-08-02 23:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367 | x_refsource_MISC | |
| https://huntr.dev/bounties/31649903-c19c-4dae-aee0-a04b095855c5 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| janeczku | janeczku/calibre-web |
Version: unspecified < 0.6.18 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:47:43.258Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/31649903-c19c-4dae-aee0-a04b095855c5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.18",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-04T17:50:17",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/31649903-c19c-4dae-aee0-a04b095855c5"
}
],
"source": {
"advisory": "31649903-c19c-4dae-aee0-a04b095855c5",
"discovery": "EXTERNAL"
},
"title": "Server-Side Request Forgery (SSRF) in janeczku/calibre-web",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0990",
"STATE": "PUBLIC",
"TITLE": "Server-Side Request Forgery (SSRF) in janeczku/calibre-web"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "janeczku/calibre-web",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.6.18"
}
]
}
}
]
},
"vendor_name": "janeczku"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367"
},
{
"name": "https://huntr.dev/bounties/31649903-c19c-4dae-aee0-a04b095855c5",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/31649903-c19c-4dae-aee0-a04b095855c5"
}
]
},
"source": {
"advisory": "31649903-c19c-4dae-aee0-a04b095855c5",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0990",
"datePublished": "2022-04-04T17:50:17",
"dateReserved": "2022-03-15T00:00:00",
"dateUpdated": "2024-08-02T23:47:43.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2525 (GCVE-0-2022-2525)
Vulnerability from cvelistv5
Published
2023-04-15 00:00
Modified
2025-02-06 16:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Summary
Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| janeczku | janeczku/calibre-web |
Version: unspecified < 0.6.20 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:07.945Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/9ff87820-c14c-4454-9764-406496254ef0"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/49e4f540c9b204c7e39b3c27ceadecd83ed60e7e"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-2525",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-06T16:02:14.757050Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-06T16:02:55.497Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.20",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-15T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/9ff87820-c14c-4454-9764-406496254ef0"
},
{
"url": "https://github.com/janeczku/calibre-web/commit/49e4f540c9b204c7e39b3c27ceadecd83ed60e7e"
}
],
"source": {
"advisory": "9ff87820-c14c-4454-9764-406496254ef0",
"discovery": "EXTERNAL"
},
"title": "Improper Restriction of Excessive Authentication Attempts in janeczku/calibre-web"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-2525",
"datePublished": "2023-04-15T00:00:00.000Z",
"dateReserved": "2022-07-24T00:00:00.000Z",
"dateUpdated": "2025-02-06T16:02:55.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3988 (GCVE-0-2021-3988)
Vulnerability from cvelistv5
Published
2024-11-15 10:52
Modified
2024-11-20 22:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
A Cross-site Scripting (XSS) vulnerability exists in janeczku/calibre-web, specifically in the file `edit_books.js`. The vulnerability occurs when editing book properties, such as uploading a cover or a format. The affected code directly inserts user input into the DOM without proper sanitization, allowing attackers to execute arbitrary JavaScript code. This can lead to various attacks, including stealing cookies. The issue is present in the code handling the `#btn-upload-cover` change event.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| janeczku | janeczku/calibre-web |
Version: unspecified < |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:janeczku:calibre-web:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.15",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-3988",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T22:31:41.647596Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T22:35:15.693Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThanOrEqual": "latest",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site Scripting (XSS) vulnerability exists in janeczku/calibre-web, specifically in the file `edit_books.js`. The vulnerability occurs when editing book properties, such as uploading a cover or a format. The affected code directly inserts user input into the DOM without proper sanitization, allowing attackers to execute arbitrary JavaScript code. This can lead to various attacks, including stealing cookies. The issue is present in the code handling the `#btn-upload-cover` change event."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T10:57:13.347Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/fa4c8fd1-7846-4dad-9112-2c07461f0609"
},
{
"url": "https://github.com/janeczku/calibre-web/commit/7ad419dc8c12180e842a82118f4866ac3d074bc5"
}
],
"source": {
"advisory": "fa4c8fd1-7846-4dad-9112-2c07461f0609",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) in janeczku/calibre-web"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2021-3988",
"datePublished": "2024-11-15T10:52:39.637Z",
"dateReserved": "2021-11-20T12:40:59.399Z",
"dateUpdated": "2024-11-20T22:35:15.693Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0339 (GCVE-0-2022-0339)
Vulnerability from cvelistv5
Published
2022-01-30 13:17
Modified
2024-08-02 23:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
Server-Side Request Forgery (SSRF) in Pypi calibreweb prior to 0.6.16.
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/499688c4-6ac4-4047-a868-7922c3eab369 | x_refsource_CONFIRM | |
| https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| janeczku | janeczku/calibre-web |
Version: unspecified < 0.6.16 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:25:40.213Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/499688c4-6ac4-4047-a868-7922c3eab369"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) in Pypi calibreweb prior to 0.6.16."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-30T13:17:54",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/499688c4-6ac4-4047-a868-7922c3eab369"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92"
}
],
"source": {
"advisory": "499688c4-6ac4-4047-a868-7922c3eab369",
"discovery": "EXTERNAL"
},
"title": "Server-Side Request Forgery (SSRF) in janeczku/calibre-web",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0339",
"STATE": "PUBLIC",
"TITLE": "Server-Side Request Forgery (SSRF) in janeczku/calibre-web"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "janeczku/calibre-web",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.6.16"
}
]
}
}
]
},
"vendor_name": "janeczku"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Server-Side Request Forgery (SSRF) in Pypi calibreweb prior to 0.6.16."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/499688c4-6ac4-4047-a868-7922c3eab369",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/499688c4-6ac4-4047-a868-7922c3eab369"
},
{
"name": "https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92"
}
]
},
"source": {
"advisory": "499688c4-6ac4-4047-a868-7922c3eab369",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0339",
"datePublished": "2022-01-30T13:17:54",
"dateReserved": "2022-01-22T00:00:00",
"dateUpdated": "2024-08-02T23:25:40.213Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}