CVE-2024-39307

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-39307

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39307.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-39307

Aliases

GHSA-r4qc-3w52-2v84

Published

2024-06-28T20:44:53.930Z

Modified

2025-12-05T05:18:43.727217Z

Severity

3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Cross-Site Scripting (XSS) vulnerability via crafted ebooks in Kavita

Details

Kavita is a cross platform reading server. Opening an ebook with malicious scripts inside leads to code execution inside the browsing context. Kavita doesn't sanitize or sandbox the contents of epubs, allowing scripts inside ebooks to execute. This vulnerability was patched in version 0.8.1.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/39xxx/CVE-2024-39307.json"
}

References

Affected packages

Git / github.com/kareadita/kavita

Affected ranges

Type

GIT

Repo

https://github.com/kareadita/kavita

Events

Introduced

Last affected

5a7fd25548633b682a48edd071f7c376c9158cc1

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.8.0"
        }
    ]
}

Affected versions

v0.*

v0.1

v0.2

v0.3

v0.3.1

v0.3.2

v0.3.5

v0.3.6

v0.3.7

v0.4

v0.4.1

v0.4.1.1

v0.4.2

v0.4.3

v0.4.4

v0.4.5

v0.4.6

v0.4.7

v0.4.8

v0.4.9

v0.4.9.1

v0.4.9.2

v0.5.0

v0.5.1

v0.5.1.1

v0.5.2

v0.5.2.3

v0.5.2.5

v0.5.3

v0.5.4

v0.5.4.1

v0.5.4.2

v0.5.5

v0.5.6

v0.6.0

v0.6.1

v0.7

v0.7.1

v0.7.1.4

v0.7.10

v0.7.10.1

v0.7.10.2

v0.7.11

v0.7.11.1

v0.7.11.2

v0.7.12

v0.7.13

v0.7.14

v0.7.2

v0.7.3

v0.7.3.1

v0.7.4

v0.7.5

v0.7.6

v0.7.7

v0.7.8

v0.7.9

v0.8.0