Cross-site Scripting (XSS) - Stored in janeczku/calibre-web

Vulnerability

Calibre-Web, a web application for browsing and reading eBooks stored in a Calibre database, is vulnerable to cross-site scripting (XSS) [2]. The flaw resides in the upload handler for book covers and book formats. In the JavaScript code, the .html() method is used to insert a filename retrieved from the file input field into the DOM, such as $("#upload-format").html(filename) and $("#upload-cover").html(filename). This allows an attacker who can upload a book cover or format file with a malicious filename containing HTML or JavaScript payload to inject arbitrary script code. The code path is reachable by any authenticated user who has permission to edit books, specifically to upload covers or formats. The commit that fixes the issue [3] shows the change to .text() which safely escapes the string. Affected versions include all releases prior to the fix commit (identified in commit 7ad419dc8c12180e842a82118f4866ac3d074bc5).

Exploitation

An authenticated user with permission to upload covers or formats to a book can create a file with a filename containing HTML tags or JavaScript, such as .jpg. When the user (or an administrator managing the library) views the page where the upload form is processed, the malicious filename is rendered unsanitized by jQuery's .html() method, executing the injected script in the context of the victim's browser [3]. No additional user interaction beyond the victim viewing the affected page is required; the exploit occurs automatically when the uploaded filename is displayed.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript within the browser session of the victim user. This can lead to session hijacking, unauthorized actions performed on behalf of the victim, access to sensitive data displayed on the page (such as user list or library contents), or further XSS-based attacks. The scope of compromise is limited to the browser context of the victim, but can escalate depending on the privileges of the victim (e.g., an administrator may perform privileged actions via the injected script).

Mitigation

The vulnerability was fixed in a commit [3] by replacing .html() with .text() when setting the filename text, which prevents HTML interpretation. The change is included in GitHub commit 7ad419dc8c12180e842a82118f4866ac3d074bc5. Users should update to a Calibre-Web version that includes this commit (likely any release after January 14, 2021, based on the commit date). No workaround is described in the available references. There is no indication that this CVE is listed in the Known Exploited Vulnerabilities catalog.