We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2021-3988

Cross-site Scripting (XSS) in janeczku/calibre-web



Description

A Cross-site Scripting (XSS) vulnerability exists in janeczku/calibre-web, specifically in the file `edit_books.js`. The vulnerability occurs when editing book properties, such as uploading a cover or a format. The affected code directly inserts user input into the DOM without proper sanitization, allowing attackers to execute arbitrary JavaScript code. This can lead to various attacks, including stealing cookies. The issue is present in the code handling the `#btn-upload-cover` change event.

Reserved 2021-11-20 | Published 2024-11-15 | Updated 2024-11-20 | Assigner @huntr_ai


MEDIUM: 5.7CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Any version
affected

References

huntr.com/bounties/fa4c8fd1-7846-4dad-9112-2c07461f0609

github.com/...ommit/7ad419dc8c12180e842a82118f4866ac3d074bc5

cve.org (CVE-2021-3988)

nvd.nist.gov (CVE-2021-3988)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2021-3988

Support options

Helpdesk Chat, Email, Knowledgebase
Telegram Chat
Subscribe to our newsletter to learn more about our work.