Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrScara31FF395101-E392-401D-AB4F-579C63FBF6A0
HistoryDec 20, 2021 - 12:01 p.m.

Cross-site Scripting (XSS) - Stored in janeczku/calibre-web

2021-12-2012:01:45
scara31
www.huntr.dev
11
stored xss
input check
identifiers
janeczku/calibre-web
stealing cookies
key logging

EPSS

0.001

Percentile

21.4%

JSON

Description

Missing input check on Identifiers lead to stored XSS.

Steps to reproduce

  1. 1. Any book -> Edit metadata -> Identifiers
  2. 2. Set any value to the first field and javascript:alert(document.domain) to the second one.
  3. 3. Save the book, select it, click on Identifier -> XSSed!

Proof of Concept

Video PoC

P.s.: this exploit works in Firefox and Safari, not Chrome.

Impact

This vulnerability is capable of stealing cookies, key logging, etc.

Related

osv 2
prion 1
cnvd 1
github 1
cvelist 1
nvd 1
cve 1
osv
osv
calibre-web is vulnerable to Cross-site Scripting
2022-01-21 23:55:34
CVE-2021-4170
2022-01-16 21:15:07
prion
prion
Cross site scripting
2022-01-16 21:15:00
cnvd
cnvd
Calibre-Web Cross-Site Scripting Vulnerability (CNVD-2022-21489)
2022-01-17 00:00:00
github
github
calibre-web is vulnerable to Cross-site Scripting
2022-01-21 23:55:34
cvelist
cvelist
CVE-2021-4170 Cross-site Scripting (XSS) - Stored in janeczku/calibre-web
2022-01-16 20:55:10
nvd
nvd
CVE-2021-4170
2022-01-16 21:15:07
cve
cve
CVE-2021-4170
2022-01-16 21:15:07

EPSS

0.001

Percentile

21.4%

JSON
Related for FF395101-E392-401D-AB4F-579C63FBF6A0
osv2prion1cnvd1github1cvelist1nvd1cve1