CVE-2024-39123

MEDIUM

Janeczku Calibre-web < 0.6.21 - XSS

Title source: rule

Description

In janeczku Calibre-Web 0.6.0 to 0.6.21, the edit_book_comments function is vulnerable to Cross Site Scripting (XSS) due to improper sanitization performed by the clean_string function. The vulnerability arises from the way the clean_string function handles HTML sanitization.

Exploits (1)

nomisec WRITEUP 2 stars

by theexploiters · poc

https://github.com/theexploiters/CVE-2024-39123-Exploit

View Code ZIP pw:eip

References (1)

[Exploit, Third Party Advisory] https://github.com/pentesttoolscom/vulnerability-research/tree/master/CVE-2024-39123

Scores

CVSS v3 5.4

EPSS 0.1645

EPSS Percentile 94.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

janeczku/calibre-web 0.6.0 - 0.6.21

pypi/calibreweb 0.6.0PyPI

Published Jul 19, 2024

Tracked Since Feb 18, 2026