CVE-2021-3988

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-3988

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-3988.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-3988

Aliases

GHSA-r735-9gc6-2hvq

Published

2024-11-15T11:15:06Z

Modified

2024-11-19T16:46:44.650898Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

A Cross-site Scripting (XSS) vulnerability exists in janeczku/calibre-web, specifically in the file edit_books.js. The vulnerability occurs when editing book properties, such as uploading a cover or a format. The affected code directly inserts user input into the DOM without proper sanitization, allowing attackers to execute arbitrary JavaScript code. This can lead to various attacks, including stealing cookies. The issue is present in the code handling the #btn-upload-cover change event.

References

Affected packages

Git / github.com/janeczku/calibre-web

Affected ranges

Type: GIT
Repo: https://github.com/janeczku/calibre-web
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

7ad419dc8c12180e842a82118f4866ac3d074bc5

Affected versions

0.*

0.6.0

0.6.10

0.6.11

0.6.12

0.6.13

0.6.14

0.6.2

0.6.3

0.6.4

0.6.5

0.6.6

0.6.7

0.6.8

0.6.9