Safety vulnerability ID: 74257
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Affected versions of cps in calibre-web are vulnerable to Cross-Site Scripting (CWE-79). This vulnerability allows attackers to inject malicious scripts through upload filename fields by exploiting the use of the .html() method to display filenames, potentially compromising user sessions or executing unauthorized actions. The attack vector involves uploading filenames containing malicious HTML or JavaScript, which are rendered unsafely in the DOM. The vulnerable methods include jQuery’s .html() in edit_books.js. To mitigate, upgrade to the version which replaces .html() with .text(), ensuring safe rendering of filenames.
Latest version: 0.6.24
Web app for browsing, reading and downloading eBooks stored in a Calibre database.
This vulnerability has no description
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application