GHSA-j22r-3rf3-cv25

Source

https://github.com/advisories/GHSA-j22r-3rf3-cv25

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-j22r-3rf3-cv25/GHSA-j22r-3rf3-cv25.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-j22r-3rf3-cv25

Aliases

CVE-2024-39123

Published

2024-07-19T21:31:11Z

Modified

2024-07-19T22:57:15.849503Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

Calibre-Web Cross Site Scripting (XSS)

Details

In janeczku Calibre-Web 0.6.0 to 0.6.21, the editbookcomments function is vulnerable to Cross Site Scripting (XSS) due to improper sanitization performed by the cleanstring function. The vulnerability arises from the way the cleanstring function handles HTML sanitization.

References

Affected packages

PyPI / calibreweb

Package

Name: calibreweb; View open source insights on deps.dev
Purl: pkg:pypi/calibreweb

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.6.0

Last affected

0.6.21

Affected versions

0.*

0.6.12

0.6.13

0.6.14

0.6.15

0.6.16

0.6.17

0.6.18

0.6.19

0.6.20

0.6.21