Search criteria
18 vulnerabilities by calibre-web_project
CVE-2023-2106 (GCVE-0-2023-2106)
Vulnerability from cvelistv5 – Published: 2023-04-15 00:00 – Updated: 2025-02-06 15:33
VLAI
Title
Weak Password Requirements in janeczku/calibre-web
Summary
Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20.
Severity
7.3 (High)
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-521 - Weak Password Requirements
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | janeczku/calibre-web |
Affected:
unspecified , < 0.6.20
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:12:20.258Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/49e4f540c9b204c7e39b3c27ceadecd83ed60e7e"
},
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/c3d5c647-7557-40a9-aee4-24dc14882781"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-2106",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-06T15:32:47.898937Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-521",
"description": "CWE-521 Weak Password Requirements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-06T15:33:47.636Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.20",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-521",
"description": "CWE-521 Weak Password Requirements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-15T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://github.com/janeczku/calibre-web/commit/49e4f540c9b204c7e39b3c27ceadecd83ed60e7e"
},
{
"url": "https://huntr.dev/bounties/c3d5c647-7557-40a9-aee4-24dc14882781"
}
],
"source": {
"advisory": "c3d5c647-7557-40a9-aee4-24dc14882781",
"discovery": "EXTERNAL"
},
"title": "Weak Password Requirements in janeczku/calibre-web"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-2106",
"datePublished": "2023-04-15T00:00:00.000Z",
"dateReserved": "2023-04-15T00:00:00.000Z",
"dateUpdated": "2025-02-06T15:33:47.636Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2525 (GCVE-0-2022-2525)
Vulnerability from cvelistv5 – Published: 2023-04-15 00:00 – Updated: 2025-02-06 16:02
VLAI
Title
Improper Restriction of Excessive Authentication Attempts in janeczku/calibre-web
Summary
Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20.
Severity
7.3 (High)
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | janeczku/calibre-web |
Affected:
unspecified , < 0.6.20
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:07.945Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/9ff87820-c14c-4454-9764-406496254ef0"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/49e4f540c9b204c7e39b3c27ceadecd83ed60e7e"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-2525",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-06T16:02:14.757050Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-06T16:02:55.497Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.20",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-15T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/9ff87820-c14c-4454-9764-406496254ef0"
},
{
"url": "https://github.com/janeczku/calibre-web/commit/49e4f540c9b204c7e39b3c27ceadecd83ed60e7e"
}
],
"source": {
"advisory": "9ff87820-c14c-4454-9764-406496254ef0",
"discovery": "EXTERNAL"
},
"title": "Improper Restriction of Excessive Authentication Attempts in janeczku/calibre-web"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-2525",
"datePublished": "2023-04-15T00:00:00.000Z",
"dateReserved": "2022-07-24T00:00:00.000Z",
"dateUpdated": "2025-02-06T16:02:55.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-30765 (GCVE-0-2022-30765)
Vulnerability from cvelistv5 – Published: 2022-05-16 01:50 – Updated: 2024-08-03 06:56
VLAI
Summary
Calibre-Web before 0.6.18 allows user table SQL Injection.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/janeczku/calibre-web/blob/mast… | x_refsource_MISC |
| https://github.com/janeczku/calibre-web/releases/… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:56:14.094Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/blob/master/SECURITY.md"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/releases/tag/0.6.18"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Calibre-Web before 0.6.18 allows user table SQL Injection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-16T01:50:53.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/blob/master/SECURITY.md"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/releases/tag/0.6.18"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-30765",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Calibre-Web before 0.6.18 allows user table SQL Injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/janeczku/calibre-web/blob/master/SECURITY.md",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/blob/master/SECURITY.md"
},
{
"name": "https://github.com/janeczku/calibre-web/releases/tag/0.6.18",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/releases/tag/0.6.18"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-30765",
"datePublished": "2022-05-16T01:50:53.000Z",
"dateReserved": "2022-05-16T00:00:00.000Z",
"dateUpdated": "2024-08-03T06:56:14.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0990 (GCVE-0-2022-0990)
Vulnerability from cvelistv5 – Published: 2022-04-04 17:50 – Updated: 2024-08-02 23:47
VLAI
Title
Server-Side Request Forgery (SSRF) in janeczku/calibre-web
Summary
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.
Severity
9.3 (Critical)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/janeczku/calibre-web/commit/45… | x_refsource_MISC |
| https://huntr.dev/bounties/31649903-c19c-4dae-aee… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | janeczku/calibre-web |
Affected:
unspecified , < 0.6.18
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:47:43.258Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/31649903-c19c-4dae-aee0-a04b095855c5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.18",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-04T17:50:17.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/31649903-c19c-4dae-aee0-a04b095855c5"
}
],
"source": {
"advisory": "31649903-c19c-4dae-aee0-a04b095855c5",
"discovery": "EXTERNAL"
},
"title": "Server-Side Request Forgery (SSRF) in janeczku/calibre-web",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0990",
"STATE": "PUBLIC",
"TITLE": "Server-Side Request Forgery (SSRF) in janeczku/calibre-web"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "janeczku/calibre-web",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.6.18"
}
]
}
}
]
},
"vendor_name": "janeczku"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367"
},
{
"name": "https://huntr.dev/bounties/31649903-c19c-4dae-aee0-a04b095855c5",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/31649903-c19c-4dae-aee0-a04b095855c5"
}
]
},
"source": {
"advisory": "31649903-c19c-4dae-aee0-a04b095855c5",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0990",
"datePublished": "2022-04-04T17:50:17.000Z",
"dateReserved": "2022-03-15T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:47:43.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0939 (GCVE-0-2022-0939)
Vulnerability from cvelistv5 – Published: 2022-04-04 09:40 – Updated: 2024-08-02 23:47
VLAI
Title
Server-Side Request Forgery (SSRF) in janeczku/calibre-web
Summary
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.
Severity
9 (Critical)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/768fd7e2-a767-4d8d-a51… | x_refsource_CONFIRM |
| https://github.com/janeczku/calibre-web/commit/45… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | janeczku/calibre-web |
Affected:
unspecified , < 0.6.18
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:47:43.285Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/768fd7e2-a767-4d8d-a517-e9dda849c6e4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.18",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-04T09:40:10.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/768fd7e2-a767-4d8d-a517-e9dda849c6e4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367"
}
],
"source": {
"advisory": "768fd7e2-a767-4d8d-a517-e9dda849c6e4",
"discovery": "EXTERNAL"
},
"title": "Server-Side Request Forgery (SSRF) in janeczku/calibre-web",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0939",
"STATE": "PUBLIC",
"TITLE": "Server-Side Request Forgery (SSRF) in janeczku/calibre-web"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "janeczku/calibre-web",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.6.18"
}
]
}
}
]
},
"vendor_name": "janeczku"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/768fd7e2-a767-4d8d-a517-e9dda849c6e4",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/768fd7e2-a767-4d8d-a517-e9dda849c6e4"
},
{
"name": "https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367"
}
]
},
"source": {
"advisory": "768fd7e2-a767-4d8d-a517-e9dda849c6e4",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0939",
"datePublished": "2022-04-04T09:40:10.000Z",
"dateReserved": "2022-03-13T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:47:43.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0406 (GCVE-0-2022-0406)
Vulnerability from cvelistv5 – Published: 2022-04-03 19:05 – Updated: 2024-08-02 23:25
VLAI
Title
Improper Authorization in janeczku/calibre-web
Summary
Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16.
Severity
4.3 (Medium)
CWE
- CWE-285 - Improper Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/d7498799-4797-4751-b5e… | x_refsource_CONFIRM |
| https://github.com/janeczku/calibre-web/commit/e0… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | janeczku/calibre-web |
Affected:
unspecified , < 0.6.16
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:25:40.441Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/d7498799-4797-4751-b5e2-b669e729d5db"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/e0e04220109920575179a8f924543449c6de0706"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-03T19:05:10.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/d7498799-4797-4751-b5e2-b669e729d5db"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/e0e04220109920575179a8f924543449c6de0706"
}
],
"source": {
"advisory": "d7498799-4797-4751-b5e2-b669e729d5db",
"discovery": "EXTERNAL"
},
"title": "Improper Authorization in janeczku/calibre-web",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0406",
"STATE": "PUBLIC",
"TITLE": "Improper Authorization in janeczku/calibre-web"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "janeczku/calibre-web",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.6.16"
}
]
}
}
]
},
"vendor_name": "janeczku"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285 Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/d7498799-4797-4751-b5e2-b669e729d5db",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/d7498799-4797-4751-b5e2-b669e729d5db"
},
{
"name": "https://github.com/janeczku/calibre-web/commit/e0e04220109920575179a8f924543449c6de0706",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/e0e04220109920575179a8f924543449c6de0706"
}
]
},
"source": {
"advisory": "d7498799-4797-4751-b5e2-b669e729d5db",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0406",
"datePublished": "2022-04-03T19:05:10.000Z",
"dateReserved": "2022-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:25:40.441Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0405 (GCVE-0-2022-0405)
Vulnerability from cvelistv5 – Published: 2022-04-03 18:30 – Updated: 2024-08-02 23:25
VLAI
Title
Improper Access Control in janeczku/calibre-web
Summary
Improper Access Control in GitHub repository janeczku/calibre-web prior to 0.6.16.
Severity
4.3 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/janeczku/calibre-web/commit/3b… | x_refsource_MISC |
| https://huntr.dev/bounties/370538f6-5312-4c15-9fc… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | janeczku/calibre-web |
Affected:
unspecified , < 0.6.16
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:25:40.394Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/370538f6-5312-4c15-9fc0-b4c36ac236fe"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Access Control in GitHub repository janeczku/calibre-web prior to 0.6.16."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-03T18:30:15.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/370538f6-5312-4c15-9fc0-b4c36ac236fe"
}
],
"source": {
"advisory": "370538f6-5312-4c15-9fc0-b4c36ac236fe",
"discovery": "EXTERNAL"
},
"title": "Improper Access Control in janeczku/calibre-web",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0405",
"STATE": "PUBLIC",
"TITLE": "Improper Access Control in janeczku/calibre-web"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "janeczku/calibre-web",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.6.16"
}
]
}
}
]
},
"vendor_name": "janeczku"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Access Control in GitHub repository janeczku/calibre-web prior to 0.6.16."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92"
},
{
"name": "https://huntr.dev/bounties/370538f6-5312-4c15-9fc0-b4c36ac236fe",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/370538f6-5312-4c15-9fc0-b4c36ac236fe"
}
]
},
"source": {
"advisory": "370538f6-5312-4c15-9fc0-b4c36ac236fe",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0405",
"datePublished": "2022-04-03T18:30:15.000Z",
"dateReserved": "2022-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:25:40.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0766 (GCVE-0-2022-0766)
Vulnerability from cvelistv5 – Published: 2022-03-07 07:05 – Updated: 2024-08-02 23:40
VLAI
Title
Server-Side Request Forgery (SSRF) in janeczku/calibre-web
Summary
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.
Severity
6.5 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/janeczku/calibre-web/commit/96… | x_refsource_MISC |
| https://huntr.dev/bounties/7f2a5bb4-e6c7-4b6a-b8e… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | janeczku/calibre-web |
Affected:
unspecified , < 0.6.17
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:03.799Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/7f2a5bb4-e6c7-4b6a-b8eb-face9e3add7b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.17",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-07T07:05:19.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/7f2a5bb4-e6c7-4b6a-b8eb-face9e3add7b"
}
],
"source": {
"advisory": "7f2a5bb4-e6c7-4b6a-b8eb-face9e3add7b",
"discovery": "EXTERNAL"
},
"title": "Server-Side Request Forgery (SSRF) in janeczku/calibre-web",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0766",
"STATE": "PUBLIC",
"TITLE": "Server-Side Request Forgery (SSRF) in janeczku/calibre-web"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "janeczku/calibre-web",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.6.17"
}
]
}
}
]
},
"vendor_name": "janeczku"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8"
},
{
"name": "https://huntr.dev/bounties/7f2a5bb4-e6c7-4b6a-b8eb-face9e3add7b",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/7f2a5bb4-e6c7-4b6a-b8eb-face9e3add7b"
}
]
},
"source": {
"advisory": "7f2a5bb4-e6c7-4b6a-b8eb-face9e3add7b",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0766",
"datePublished": "2022-03-07T07:05:19.000Z",
"dateReserved": "2022-02-26T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:40:03.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0767 (GCVE-0-2022-0767)
Vulnerability from cvelistv5 – Published: 2022-03-07 07:05 – Updated: 2024-08-02 23:40
VLAI
Title
Server-Side Request Forgery (SSRF) in janeczku/calibre-web
Summary
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.
Severity
9.1 (Critical)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/b26fc127-9b6a-4be7-a45… | x_refsource_CONFIRM |
| https://github.com/janeczku/calibre-web/commit/96… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | janeczku/calibre-web |
Affected:
unspecified , < 0.6.17
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:03.721Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/b26fc127-9b6a-4be7-a455-58aefbb62d9e"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.17",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-07T07:05:11.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/b26fc127-9b6a-4be7-a455-58aefbb62d9e"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8"
}
],
"source": {
"advisory": "b26fc127-9b6a-4be7-a455-58aefbb62d9e",
"discovery": "EXTERNAL"
},
"title": "Server-Side Request Forgery (SSRF) in janeczku/calibre-web",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0767",
"STATE": "PUBLIC",
"TITLE": "Server-Side Request Forgery (SSRF) in janeczku/calibre-web"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "janeczku/calibre-web",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.6.17"
}
]
}
}
]
},
"vendor_name": "janeczku"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/b26fc127-9b6a-4be7-a455-58aefbb62d9e",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/b26fc127-9b6a-4be7-a455-58aefbb62d9e"
},
{
"name": "https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8"
}
]
},
"source": {
"advisory": "b26fc127-9b6a-4be7-a455-58aefbb62d9e",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0767",
"datePublished": "2022-03-07T07:05:11.000Z",
"dateReserved": "2022-02-26T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:40:03.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0273 (GCVE-0-2022-0273)
Vulnerability from cvelistv5 – Published: 2022-01-30 13:21 – Updated: 2024-08-02 23:25
VLAI
Title
Improper Access Control in janeczku/calibre-web
Summary
Improper Access Control in Pypi calibreweb prior to 0.6.16.
Severity
4.3 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/8f27686f-d698-4ab6-8ef… | x_refsource_CONFIRM |
| https://github.com/janeczku/calibre-web/commit/0c… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | janeczku/calibre-web |
Affected:
unspecified , < 0.6.16
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:25:40.376Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/8f27686f-d698-4ab6-8ef0-899125792f13"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/0c0313f375bed7b035c8c0482bbb09599e16bfcf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Access Control in Pypi calibreweb prior to 0.6.16."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-30T13:21:51.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/8f27686f-d698-4ab6-8ef0-899125792f13"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/0c0313f375bed7b035c8c0482bbb09599e16bfcf"
}
],
"source": {
"advisory": "8f27686f-d698-4ab6-8ef0-899125792f13",
"discovery": "EXTERNAL"
},
"title": "Improper Access Control in janeczku/calibre-web",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0273",
"STATE": "PUBLIC",
"TITLE": "Improper Access Control in janeczku/calibre-web"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "janeczku/calibre-web",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.6.16"
}
]
}
}
]
},
"vendor_name": "janeczku"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Access Control in Pypi calibreweb prior to 0.6.16."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/8f27686f-d698-4ab6-8ef0-899125792f13",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/8f27686f-d698-4ab6-8ef0-899125792f13"
},
{
"name": "https://github.com/janeczku/calibre-web/commit/0c0313f375bed7b035c8c0482bbb09599e16bfcf",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/0c0313f375bed7b035c8c0482bbb09599e16bfcf"
}
]
},
"source": {
"advisory": "8f27686f-d698-4ab6-8ef0-899125792f13",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0273",
"datePublished": "2022-01-30T13:21:51.000Z",
"dateReserved": "2022-01-18T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:25:40.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0339 (GCVE-0-2022-0339)
Vulnerability from cvelistv5 – Published: 2022-01-30 13:17 – Updated: 2024-08-02 23:25
VLAI
Title
Server-Side Request Forgery (SSRF) in janeczku/calibre-web
Summary
Server-Side Request Forgery (SSRF) in Pypi calibreweb prior to 0.6.16.
Severity
6.5 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/499688c4-6ac4-4047-a86… | x_refsource_CONFIRM |
| https://github.com/janeczku/calibre-web/commit/3b… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | janeczku/calibre-web |
Affected:
unspecified , < 0.6.16
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:25:40.213Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/499688c4-6ac4-4047-a868-7922c3eab369"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) in Pypi calibreweb prior to 0.6.16."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-30T13:17:54.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/499688c4-6ac4-4047-a868-7922c3eab369"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92"
}
],
"source": {
"advisory": "499688c4-6ac4-4047-a868-7922c3eab369",
"discovery": "EXTERNAL"
},
"title": "Server-Side Request Forgery (SSRF) in janeczku/calibre-web",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0339",
"STATE": "PUBLIC",
"TITLE": "Server-Side Request Forgery (SSRF) in janeczku/calibre-web"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "janeczku/calibre-web",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.6.16"
}
]
}
}
]
},
"vendor_name": "janeczku"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Server-Side Request Forgery (SSRF) in Pypi calibreweb prior to 0.6.16."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/499688c4-6ac4-4047-a868-7922c3eab369",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/499688c4-6ac4-4047-a868-7922c3eab369"
},
{
"name": "https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92"
}
]
},
"source": {
"advisory": "499688c4-6ac4-4047-a868-7922c3eab369",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0339",
"datePublished": "2022-01-30T13:17:54.000Z",
"dateReserved": "2022-01-22T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:25:40.213Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0352 (GCVE-0-2022-0352)
Vulnerability from cvelistv5 – Published: 2022-01-28 21:29 – Updated: 2024-08-02 23:25
VLAI
Title
Cross-site Scripting (XSS) - Reflected in janeczku/calibre-web
Summary
Cross-site Scripting (XSS) - Reflected in Pypi calibreweb prior to 0.6.16.
Severity
8.5 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/a577ff17-2ded-4c41-84a… | x_refsource_CONFIRM |
| https://github.com/janeczku/calibre-web/commit/6b… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | janeczku/calibre-web |
Affected:
unspecified , < 0.6.16
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:25:40.508Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/a577ff17-2ded-4c41-84ae-6ac02440f717"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/6bf07539788004513c3692c074ebc7ba4ce005e1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Reflected in Pypi calibreweb prior to 0.6.16."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-28T21:29:15.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/a577ff17-2ded-4c41-84ae-6ac02440f717"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/6bf07539788004513c3692c074ebc7ba4ce005e1"
}
],
"source": {
"advisory": "a577ff17-2ded-4c41-84ae-6ac02440f717",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Reflected in janeczku/calibre-web",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0352",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Reflected in janeczku/calibre-web"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "janeczku/calibre-web",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.6.16"
}
]
}
}
]
},
"vendor_name": "janeczku"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Reflected in Pypi calibreweb prior to 0.6.16."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/a577ff17-2ded-4c41-84ae-6ac02440f717",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/a577ff17-2ded-4c41-84ae-6ac02440f717"
},
{
"name": "https://github.com/janeczku/calibre-web/commit/6bf07539788004513c3692c074ebc7ba4ce005e1",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/6bf07539788004513c3692c074ebc7ba4ce005e1"
}
]
},
"source": {
"advisory": "a577ff17-2ded-4c41-84ae-6ac02440f717",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0352",
"datePublished": "2022-01-28T21:29:15.000Z",
"dateReserved": "2022-01-24T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:25:40.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-4164 (GCVE-0-2021-4164)
Vulnerability from cvelistv5 – Published: 2022-01-17 12:35 – Updated: 2024-08-03 17:16
VLAI
Title
Cross-Site Request Forgery (CSRF) in janeczku/calibre-web
Summary
calibre-web is vulnerable to Cross-Site Request Forgery (CSRF)
Severity
7.6 (High)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/2debace1-a0f3-45c1-95f… | x_refsource_CONFIRM |
| https://github.com/janeczku/calibre-web/commit/78… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | janeczku/calibre-web |
Affected:
unspecified , < 0.6.15
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:16:04.257Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/2debace1-a0f3-45c1-95fa-9d0512680758"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/785726deee13b4d56f6c3503dd57c1e3eb7d6f30"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.15",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "calibre-web is vulnerable to Cross-Site Request Forgery (CSRF)"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-17T12:35:10.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/2debace1-a0f3-45c1-95fa-9d0512680758"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/785726deee13b4d56f6c3503dd57c1e3eb7d6f30"
}
],
"source": {
"advisory": "2debace1-a0f3-45c1-95fa-9d0512680758",
"discovery": "EXTERNAL"
},
"title": "Cross-Site Request Forgery (CSRF) in janeczku/calibre-web",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-4164",
"STATE": "PUBLIC",
"TITLE": "Cross-Site Request Forgery (CSRF) in janeczku/calibre-web"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "janeczku/calibre-web",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.6.15"
}
]
}
}
]
},
"vendor_name": "janeczku"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "calibre-web is vulnerable to Cross-Site Request Forgery (CSRF)"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/2debace1-a0f3-45c1-95fa-9d0512680758",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/2debace1-a0f3-45c1-95fa-9d0512680758"
},
{
"name": "https://github.com/janeczku/calibre-web/commit/785726deee13b4d56f6c3503dd57c1e3eb7d6f30",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/785726deee13b4d56f6c3503dd57c1e3eb7d6f30"
}
]
},
"source": {
"advisory": "2debace1-a0f3-45c1-95fa-9d0512680758",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-4164",
"datePublished": "2022-01-17T12:35:10.000Z",
"dateReserved": "2021-12-24T00:00:00.000Z",
"dateUpdated": "2024-08-03T17:16:04.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-4171 (GCVE-0-2021-4171)
Vulnerability from cvelistv5 – Published: 2022-01-17 09:45 – Updated: 2024-08-03 17:16
VLAI
Title
Business Logic Errors in janeczku/calibre-web
Summary
calibre-web is vulnerable to Business Logic Errors
Severity
7.7 (High)
CWE
- CWE-840 - Business Logic Errors
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/1117f439-133c-4563-afb… | x_refsource_CONFIRM |
| https://github.com/janeczku/calibre-web/commit/3e… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | janeczku/calibre-web |
Affected:
unspecified , < 0.6.15
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:16:04.253Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/1117f439-133c-4563-afb2-6cd80607bd5c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/3e0d8763c377d2146462811e3e4ccf13f0d312ce"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.15",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "calibre-web is vulnerable to Business Logic Errors"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-840",
"description": "CWE-840 Business Logic Errors",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-17T09:45:10.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/1117f439-133c-4563-afb2-6cd80607bd5c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/3e0d8763c377d2146462811e3e4ccf13f0d312ce"
}
],
"source": {
"advisory": "1117f439-133c-4563-afb2-6cd80607bd5c",
"discovery": "EXTERNAL"
},
"title": "Business Logic Errors in janeczku/calibre-web",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-4171",
"STATE": "PUBLIC",
"TITLE": "Business Logic Errors in janeczku/calibre-web"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "janeczku/calibre-web",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.6.15"
}
]
}
}
]
},
"vendor_name": "janeczku"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "calibre-web is vulnerable to Business Logic Errors"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-840 Business Logic Errors"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/1117f439-133c-4563-afb2-6cd80607bd5c",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/1117f439-133c-4563-afb2-6cd80607bd5c"
},
{
"name": "https://github.com/janeczku/calibre-web/commit/3e0d8763c377d2146462811e3e4ccf13f0d312ce",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/3e0d8763c377d2146462811e3e4ccf13f0d312ce"
}
]
},
"source": {
"advisory": "1117f439-133c-4563-afb2-6cd80607bd5c",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-4171",
"datePublished": "2022-01-17T09:45:10.000Z",
"dateReserved": "2021-12-26T00:00:00.000Z",
"dateUpdated": "2024-08-03T17:16:04.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-4170 (GCVE-0-2021-4170)
Vulnerability from cvelistv5 – Published: 2022-01-16 20:55 – Updated: 2024-08-03 17:16
VLAI
Title
Cross-site Scripting (XSS) - Stored in janeczku/calibre-web
Summary
calibre-web is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Severity
7.3 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/ff395101-e392-401d-ab4… | x_refsource_CONFIRM |
| https://github.com/janeczku/calibre-web/commit/7a… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| janeczku | janeczku/calibre-web |
Affected:
unspecified , < 0.6.15
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:16:04.234Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/ff395101-e392-401d-ab4f-579c63fbf6a0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/7ad419dc8c12180e842a82118f4866ac3d074bc5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "janeczku/calibre-web",
"vendor": "janeczku",
"versions": [
{
"lessThan": "0.6.15",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "calibre-web is vulnerable to Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-16T20:55:09.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/ff395101-e392-401d-ab4f-579c63fbf6a0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/7ad419dc8c12180e842a82118f4866ac3d074bc5"
}
],
"source": {
"advisory": "ff395101-e392-401d-ab4f-579c63fbf6a0",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in janeczku/calibre-web",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-4170",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Stored in janeczku/calibre-web"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "janeczku/calibre-web",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.6.15"
}
]
}
}
]
},
"vendor_name": "janeczku"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "calibre-web is vulnerable to Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/ff395101-e392-401d-ab4f-579c63fbf6a0",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/ff395101-e392-401d-ab4f-579c63fbf6a0"
},
{
"name": "https://github.com/janeczku/calibre-web/commit/7ad419dc8c12180e842a82118f4866ac3d074bc5",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/7ad419dc8c12180e842a82118f4866ac3d074bc5"
}
]
},
"source": {
"advisory": "ff395101-e392-401d-ab4f-579c63fbf6a0",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-4170",
"datePublished": "2022-01-16T20:55:10.000Z",
"dateReserved": "2021-12-25T00:00:00.000Z",
"dateUpdated": "2024-08-03T17:16:04.234Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-25965 (GCVE-0-2021-25965)
Vulnerability from cvelistv5 – Published: 2021-11-16 09:15 – Updated: 2025-04-30 15:46
VLAI
Title
Calibre-web - Admin Account Takeover via Cross-Site Request Forgery (CSRF)
Summary
In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credentials, allowing them to take over the application.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/janeczku/calibre-web/commit/50… | x_refsource_MISC |
| https://www.whitesourcesoftware.com/vulnerability… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| calibreweb | calibreweb |
Affected:
0.6.0 , < unspecified
(custom)
Affected: unspecified , ≤ 0.6.13 (custom) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:18.947Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/50919d47212066c75f03ee7a5332ecf2d584b98e"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25965"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-25965",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-30T15:29:26.148130Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T15:46:00.249Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "calibreweb",
"vendor": "calibreweb",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.6.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "0.6.13",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "WhiteSource Vulnerability Research Team (WVR)"
}
],
"descriptions": [
{
"lang": "en",
"value": "In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credentials, allowing them to take over the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-16T09:15:11.000Z",
"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"shortName": "Mend"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/50919d47212066c75f03ee7a5332ecf2d584b98e"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25965"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 0.6.14"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
},
"title": "Calibre-web - Admin Account Takeover via Cross-Site Request Forgery (CSRF)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"ID": "CVE-2021-25965",
"STATE": "PUBLIC",
"TITLE": "Calibre-web - Admin Account Takeover via Cross-Site Request Forgery (CSRF)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "calibreweb",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "0.6.0"
},
{
"version_affected": "\u003c=",
"version_value": "0.6.13"
}
]
}
}
]
},
"vendor_name": "calibreweb"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "WhiteSource Vulnerability Research Team (WVR)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credentials, allowing them to take over the application."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/janeczku/calibre-web/commit/50919d47212066c75f03ee7a5332ecf2d584b98e",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/50919d47212066c75f03ee7a5332ecf2d584b98e"
},
{
"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25965",
"refsource": "MISC",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25965"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 0.6.14"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"assignerShortName": "Mend",
"cveId": "CVE-2021-25965",
"datePublished": "2021-11-16T09:15:11.000Z",
"dateReserved": "2021-01-22T00:00:00.000Z",
"dateUpdated": "2025-04-30T15:46:00.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-25964 (GCVE-0-2021-25964)
Vulnerability from cvelistv5 – Published: 2021-10-04 14:55 – Updated: 2025-04-30 16:24
VLAI
Title
Stored Cross-Site Scripting (XSS) in Calibre-web via Description Field in Metadata
Summary
In “Calibre-web” application, v0.6.0 to v0.6.12, are vulnerable to Stored XSS in “Metadata”. An attacker that has access to edit the metadata information, can inject JavaScript payload in the description field. When a victim tries to open the file, XSS will be triggered.
Severity
5.4 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.whitesourcesoftware.com/vulnerability… | x_refsource_MISC |
| https://github.com/janeczku/calibre-web/commit/32… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OzzieIsaacs | calibreweb |
Affected:
0.6.0 , < unspecified
(custom)
Affected: unspecified , ≤ 0.6.12 (custom) |
Date Public
2021-10-02 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:18.956Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25964"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/commit/32e27712f0f71fdec646add20cd78b4ce75acfce"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-25964",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-30T16:10:31.385133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T16:24:59.772Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "calibreweb",
"vendor": "OzzieIsaacs",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.6.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "0.6.12",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-10-02T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In \u201cCalibre-web\u201d application, v0.6.0 to v0.6.12, are vulnerable to Stored XSS in \u201cMetadata\u201d. An attacker that has access to edit the metadata information, can inject JavaScript payload in the description field. When a victim tries to open the file, XSS will be triggered."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-04T14:55:10.000Z",
"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"shortName": "Mend"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25964"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/commit/32e27712f0f71fdec646add20cd78b4ce75acfce"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 0.6.13"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
},
"title": "Stored Cross-Site Scripting (XSS) in Calibre-web via Description Field in Metadata",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"DATE_PUBLIC": "2021-10-02T14:38:00.000Z",
"ID": "CVE-2021-25964",
"STATE": "PUBLIC",
"TITLE": "Stored Cross-Site Scripting (XSS) in Calibre-web via Description Field in Metadata"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "calibreweb",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "0.6.0"
},
{
"version_affected": "\u003c=",
"version_value": "0.6.12"
}
]
}
}
]
},
"vendor_name": "OzzieIsaacs"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In \u201cCalibre-web\u201d application, v0.6.0 to v0.6.12, are vulnerable to Stored XSS in \u201cMetadata\u201d. An attacker that has access to edit the metadata information, can inject JavaScript payload in the description field. When a victim tries to open the file, XSS will be triggered."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25964",
"refsource": "MISC",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25964"
},
{
"name": "https://github.com/janeczku/calibre-web/commit/32e27712f0f71fdec646add20cd78b4ce75acfce",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/commit/32e27712f0f71fdec646add20cd78b4ce75acfce"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 0.6.13"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"assignerShortName": "Mend",
"cveId": "CVE-2021-25964",
"datePublished": "2021-10-04T14:55:10.213Z",
"dateReserved": "2021-01-22T00:00:00.000Z",
"dateUpdated": "2025-04-30T16:24:59.772Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12627 (GCVE-0-2020-12627)
Vulnerability from cvelistv5 – Published: 2020-05-04 02:16 – Updated: 2024-08-04 12:04
VLAI
Summary
Calibre-Web 0.6.6 allows authentication bypass because of the 'A0Zr98j/3yX R~XHH!jmN]LWX/,?RT' hardcoded secret key.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/janeczku/calibre-web/pull/1337 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:21.756Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/janeczku/calibre-web/pull/1337"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Calibre-Web 0.6.6 allows authentication bypass because of the \u0027A0Zr98j/3yX R~XHH!jmN]LWX/,?RT\u0027 hardcoded secret key."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-04T02:16:06.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/janeczku/calibre-web/pull/1337"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12627",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Calibre-Web 0.6.6 allows authentication bypass because of the \u0027A0Zr98j/3yX R~XHH!jmN]LWX/,?RT\u0027 hardcoded secret key."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/janeczku/calibre-web/pull/1337",
"refsource": "MISC",
"url": "https://github.com/janeczku/calibre-web/pull/1337"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12627",
"datePublished": "2020-05-04T02:16:06.000Z",
"dateReserved": "2020-05-04T00:00:00.000Z",
"dateUpdated": "2024-08-04T12:04:21.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}