CVE-2024-39123

MEDIUM

janeczku Calibre-Web 0.6.0-0.6.21 - Cross-Site Scripting in Edit Book Comments

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-39123. PoCs published by theexploiters.

AI-analyzed exploit summary This repository provides a detailed technical writeup for CVE-2024-39123, a stored XSS vulnerability in Calibre-web 0.6.21. It includes steps to reproduce the vulnerability, impact analysis, and mitigation recommendations.

Description

In janeczku Calibre-Web 0.6.0 to 0.6.21, the edit_book_comments function is vulnerable to Cross Site Scripting (XSS) due to improper sanitization performed by the clean_string function. The vulnerability arises from the way the clean_string function handles HTML sanitization.

Exploits (1)

nomisec WRITEUP 2 stars

by theexploiters · poc

https://github.com/theexploiters/CVE-2024-39123-Exploit

View Code ZIP pw:eip

This repository provides a detailed technical writeup for CVE-2024-39123, a stored XSS vulnerability in Calibre-web 0.6.21. It includes steps to reproduce the vulnerability, impact analysis, and mitigation recommendations.

Classification

Writeup 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Calibre-web 0.6.21

Auth required

Prerequisites: Valid user account · Access to the book upload functionality

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory

https://github.com/pentesttoolscom/vulnerability-research/tree/master/CVE-2024-39123

View Exploit ZIP pw:eip

Scores

CVSS v3 5.4

EPSS 0.1645

EPSS Percentile 95.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

janeczku/calibre-web 0.6.0 - 0.6.21

pypi/calibreweb 0.6.0PyPI

Published Jul 19, 2024

Tracked Since Feb 18, 2026