CVE-2024-39123

Vulnerability

Overview A stored cross-site scripting (XSS) vulnerability exists in the edit_book_comments function of Calibre-Web versions 0.6.0 through 0.6.21 [2]. The root cause is improper sanitization performed by the clean_string function, which fails to adequately neutralize malicious HTML input [1][2].

Exploitation

Details An attacker with access to upload or edit book metadata can inject a malicious payload into the book's description (Comments) field [3]. For example, using a crafted `` tag with JavaScript encoding bypasses the weak filters [3]. The payload is stored and executed when a victim views the book details and interacts with the injected content, such as clicking a hyperlink [3]. No authentication beyond a valid user account is required, making this a stored XSS attack that targets other users [3].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session [3]. This can lead to data theft, session hijacking, defacement, or further actions within the Calibre-Web application [2][3].

Mitigation

The vulnerability affects Calibre-Web up to version 0.6.21 [2]. As of the CVE publication date (2024-07-19), no patch is mentioned in the references [1][2][3]. Users should monitor the official GitHub repository for updates and consider limiting write access to trusted users as a workaround [1].