CVE-2021-3988: Cross-site Scripting (XSS) - DOM in janeczku/calibre-web

November 15, 2024 (updated November 19, 2024)

A Cross-site Scripting (XSS) vulnerability exists in janeczku/calibre-web, specifically in the file edit_books.js. The vulnerability occurs when editing book properties, such as uploading a cover or a format. The affected code directly inserts user input into the DOM without proper sanitization, allowing attackers to execute arbitrary JavaScript code. This can lead to various attacks, including stealing cookies. The issue is present in the code handling the #btn-upload-cover change event.

References

github.com/advisories/GHSA-r735-9gc6-2hvq
github.com/janeczku/calibre-web
github.com/janeczku/calibre-web/commit/7ad419dc8c12180e842a82118f4866ac3d074bc5
huntr.com/bounties/fa4c8fd1-7846-4dad-9112-2c07461f0609
nvd.nist.gov/vuln/detail/CVE-2021-3988

Detect and mitigate CVE-2021-3988 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →