CVE-2021-3988

MEDIUM

calibre-web < 0.6.15 - Stored Cross-Site Scripting in Book Edit Function via Cover Upload

Title source: llm

Description

A Cross-site Scripting (XSS) vulnerability exists in janeczku/calibre-web, specifically in the file `edit_books.js`. The vulnerability occurs when editing book properties, such as uploading a cover or a format. The affected code directly inserts user input into the DOM without proper sanitization, allowing attackers to execute arbitrary JavaScript code. This can lead to various attacks, including stealing cookies. The issue is present in the code handling the `#btn-upload-cover` change event.

References (2)

Core 2

Core References

Patch

https://github.com/janeczku/calibre-web/commit/7ad419dc8c12180e842a82118f4866ac3d074bc5

View Patch ZIP pw:eip

Exploit

https://huntr.com/bounties/fa4c8fd1-7846-4dad-9112-2c07461f0609

Scores

CVSS v3 6.1

EPSS 0.0036

EPSS Percentile 27.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

janeczku/calibre-web < 0.6.15

pypi/calibreweb 0 - 0.6.15PyPI

Published Nov 15, 2024

Tracked Since Feb 18, 2026