67 matches found
CVE-2022-0339
Server-Side Request Forgery SSRF in Pypi calibreweb prior to 0.6.16...
CVE-2022-0273
Improper Access Control in Pypi calibreweb prior to 0.6.16...
Server-Side Request Forgery
calibreweb is vulnerable to Server-Side Request Forgery. The vulnerability is due to where the blacklist does not check for 0.0.0.0, which would result in a payload of 0.0.0.0 resolving to localhost...
Cross-site Scripting (XSS)
Overview calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the username field during user creation. An attacker can execute arbitrary JavaScript code in the context of...
EUVD-2022-0034
Malicious code in bioql PyPI...
EUVD-2022-0033
Malicious code in bioql PyPI...
EUVD-2022-0035
Malicious code in bioql PyPI...
Regular Expression Denial of Service (ReDoS)
Overview calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the stripwhitespaces function in cps/stringhelper.py file. An attacker can cause the...
CVE-2022-0352
Cross-site Scripting XSS - Reflected in Pypi calibreweb prior to 0.6.16...
Cross-site Scripting (XSS)
calibreweb to Cross-site Scripting XSS. The vulnerability is due to insufficient sanitization of user input in the editbooks.js file when editing book properties, such as uploading a cover or format. This allows attackers to execute arbitrary JavaScript code...
Sensitive Information Exposure
calibreweb is vulnerable to Sensitive Information Exposure. The vulnerability is due to improper error handling, exposing the names of private shelves in error messages when unauthorized users attempt to remove a book from a shelf they do not own...
Cross-site Scripting (XSS)
Overview calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database. Affected versions of this package are vulnerable to Cross-site Scripting XSS through the editbooks.js component due to improper user input sanitization. An attacker can inject malicious...
Improper Access Control
calibreweb is vulnerable to Improper Access Control. The vulnerability is due to insufficient permission checks in the createshelf method of shelf.py, allowing users without public shelf permissions to create public shelves...
Missing Authorization
Overview calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database. Affected versions of this package are vulnerable to Missing Authorization for the createshelf function in shelf.py. A low-privileged user can creating public shelves by passing the...
Information Exposure
Overview calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database. Affected versions of this package are vulnerable to Information Exposure in shelf.py, which includes the name of the shelf in error output. An attacker can view shelf names owned by other...
Weak Password Requirements
calibreweb is vulnerable to Weak Password Requirements. The vulnerability exists in the generaterandompassword function of helper.py, which allows users to create weak passwords resulting in account takeovers via bruteforce attacks...
Improper Authentication
calibreweb is vulnerable to Improper Authentication. The vulnerability exists in the login function of web.py file, which allows a remote attacker to takeover the account by bruteforcing due to improper restriction of excessive authentication attempts...
GHSA-JG8W-WGX2-G7Q4 Improper Restriction of Excessive Authentication Attempts in calibreweb
Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20...
GHSA-MHMP-M6G7-7C24 Weak Password Requirements in calibreweb
Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20...
Weak Password Requirements in calibreweb
Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20...