CVE-2024-39307 | THREATINT

Assigner	GitHub_M
Reserved	2024-06-21
Published	2024-06-28
Updated	2024-06-29

Description

Kavita is a cross platform reading server. Opening an ebook with malicious scripts inside leads to code execution inside the browsing context. Kavita doesn't sanitize or sandbox the contents of epubs, allowing scripts inside ebooks to execute. This vulnerability was patched in version 0.8.1.

LOW: 3.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

<= 0.8.0

affected

References

https://github.com/Kareadita/Kavita/security/advisories/GHSA-r4qc-3w52-2v84

cve.org CVE-2024-39307

nvd.nist.gov CVE-2024-39307

Download JSON