In janeczku Calibre-Web 0.6.0 to 0.6.21, the edit_book_comments function is vulnerable to Cross Site Scripting (XSS) due to improper sanitization performed by the clean_string function. The vulnerability arises from the way the clean_string function handles HTML sanitization.
Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20.
Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20.
Calibre-Web before 0.6.18 allows user table SQL Injection.
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.
Server-Side Request Forgery in Pypi calibreweb prior to 0.6.16.
Improper Access Control in Pypi calibreweb prior to 0.6.16.
Cross-site Scripting - Reflected in Pypi calibreweb prior to 0.6.16.
calibre-web is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
calibre-web is vulnerable to Cross-Site Request Forgery (CSRF)
calibre-web is vulnerable to Business Logic Errors