A Cross-site Scripting (XSS) vulnerability exists in janeczku/calibre-web, specifically in the file `edit_books.js`. The vulnerability occurs when editing book properties, such as uploading a cover or a format. The affected code directly inserts user input into the DOM without proper sanitization, allowing attackers to execute arbitrary JavaScript code. This can lead to various attacks, including stealing cookies. The issue is present in the code handling the `#btn-upload-cover` change event.
                
            Metrics
Affected Vendors & Products
References
        History
                    Wed, 20 Nov 2024 23:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | ssvc 
 | 
Tue, 19 Nov 2024 16:00:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| First Time appeared | Janeczku Janeczku calibre-web | |
| CPEs | cpe:2.3:a:janeczku:calibre-web:*:*:*:*:*:*:*:* | |
| Vendors & Products | Janeczku Janeczku calibre-web | |
| Metrics | cvssV3_1 
 | 
Fri, 15 Nov 2024 11:00:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Description | A Cross-site Scripting (XSS) vulnerability exists in janeczku/calibre-web, specifically in the file `edit_books.js`. The vulnerability occurs when editing book properties, such as uploading a cover or a format. The affected code directly inserts user input into the DOM without proper sanitization, allowing attackers to execute arbitrary JavaScript code. This can lead to various attacks, including stealing cookies. The issue is present in the code handling the `#btn-upload-cover` change event. | |
| Title | Cross-site Scripting (XSS) in janeczku/calibre-web | |
| Weaknesses | CWE-79 | |
| References |  | |
| Metrics | cvssV3_0 
 | 
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: @huntr_ai
Published: 2024-11-15T10:52:39.637Z
Updated: 2024-11-20T22:35:15.693Z
Reserved: 2021-11-20T12:40:59.399Z
Link: CVE-2021-3988
 Vulnrichment
                        Vulnrichment
                    Updated: 2024-11-20T22:35:09.582Z
 NVD
                        NVD
                    Status : Analyzed
Published: 2024-11-15T11:15:06.877
Modified: 2024-11-19T15:43:01.723
Link: CVE-2021-3988
 Redhat
                        Redhat
                    No data.