CVE-2022-30765

Vulnerability

Calibre-Web before version 0.6.18 contains a SQL injection vulnerability in the user table. The vulnerability is present in versions prior to the fix released in 0.6.18 [2][4]. The exact code path and required configuration are not detailed in the available references.

Exploitation

An attacker with network access to the Calibre-Web application could exploit this SQL injection. The necessary privileges and exact steps are not disclosed in the references, but the vulnerability is classified as user table SQL injection, suggesting potential for database manipulation [2][4].

Impact

Successful exploitation could allow an attacker to read, modify, or delete data in the user table, potentially leading to unauthorized access, privilege escalation, or disclosure of user credentials and other sensitive information [2][4].

Mitigation

Upgrade to Calibre-Web version 0.6.18 or later, which includes the security fix [4]. No workarounds have been published. Users should always run the latest version as recommended in the security policy [2].