2 matches found
Cross-site Scripting (XSS)
Overview calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database. Affected versions of this package are vulnerable to Cross-site Scripting XSS through the editbooks.js component due to improper user input sanitization. An attacker can inject malicious...
Cross-site Scripting (XSS) - DOM in janeczku/calibre-web
Description It is possible to execute XSS payloads when editing book properties, such as uploading a cover or a format. Proof of Concept The file editbooks.js contains the following code: $"btn-upload-cover".on"change", function var filename = $this.val; if filename.substring3, 11 === "fakepath"...