calibreweb@0.6.15 vulnerabilities

Web app for browsing, reading and downloading eBooks stored in a Calibre database.

latest version

0.6.24

latest non vulnerable version

first published

3 years ago

latest version published

5 months ago

licenses detected

GPL-3.0
[0,)

View calibreweb package health on Snyk Advisor (opens in a new tab)

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the calibreweb package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization in the `edit_book_comments` function. An attacker can inject malicious scripts by exploiting the inadequate HTML sanitization performed by the `clean_string` function. How to fix Cross-site Scripting (XSS)? Upgrade `calibreweb` to version 0.6.22 or higher.	[,0.6.22)
H Weak Password Requirements calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database. Affected versions of this package are vulnerable to Weak Password Requirements due to missing rate limits in the login functionality. How to fix Weak Password Requirements? Upgrade `calibreweb` to version 0.6.20 or higher.	[,0.6.20)
H Brute Force calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database. Affected versions of this package are vulnerable to Brute Force due to missing rate limiting in login form. How to fix Brute Force? Upgrade `calibreweb` to version 0.6.20 or higher.	[,0.6.20)
C SQL Injection calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database. Affected versions of this package are vulnerable to SQL Injection in the user table. How to fix SQL Injection? Upgrade `calibreweb` to version 0.6.18 or higher.	[,0.6.18)
H Server-side Request Forgery (SSRF) calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to improper fix of CVE-2022-0767 and CVE-2022-0766 which only address loopback/localhost IP addresses which can allow attacker to access internal endpoints. How to fix Server-side Request Forgery (SSRF)? Upgrade `calibreweb` to version 0.6.18 or higher.	[,0.6.18)
M Improper Access Control calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database. Affected versions of this package are vulnerable to Improper Access Control due to improper HTML rendering, when the user doesn't have view permissions to read the name of a private shelf, the server continues to render the HTML containing `shelf.name` instead of showing error messages and redirect. Exploiting this vulnerability leads to disclosing the name of the private shelf. How to fix Improper Access Control? Upgrade `calibreweb` to version 0.6.16 or higher.	[,0.6.16)
C Server-side Request Forgery (SSRF) calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to improper fix CVE-2022-0767, which makes it possible to be bypassed via the IPV4/IPV4 embedding. How to fix Server-side Request Forgery (SSRF)? Upgrade `calibreweb` to version 0.6.18 or higher.	[,0.6.18)
C Server-side Request Forgery (SSRF) calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to an incomplete SSRF protection that can be bypassed via an HTTP redirect. An HTTP server that is set up to respond with a 302 redirect may redirect a request to `localhost`. How to fix Server-side Request Forgery (SSRF)? Upgrade `calibreweb` to version 0.6.17 or higher.	[,0.6.17)
M Server-side Request Forgery (SSRF) calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to an incomplete fix for CVE-2022-0339. The blacklist does not check for `0.0.0.0`, which would result in a payload of `0.0.0.0` resolving to `localhost`. How to fix Server-side Request Forgery (SSRF)? Upgrade `calibreweb` to version 0.6.17 or higher.	[,0.6.17)
M Improper Access Control calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database. Affected versions of this package are vulnerable to Improper Access Control. This is caused because low-level users can create a new shelf with public mode. How to fix Improper Access Control? Upgrade `calibreweb` to version 0.6.16 or higher.	[,0.6.16)
M Cross-site Scripting (XSS) calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to missing sanitization of safe statement. How to fix Cross-site Scripting (XSS)? Upgrade `calibreweb` to version 0.6.16 or higher.	[,0.6.16)
M Server-side Request Forgery (SSRF) calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to missing sanitization of `Fetch Cover from URL` field, which makes it possible to point to a malicious server instead of an external URL. How to fix Server-side Request Forgery (SSRF)? Upgrade `calibreweb` to version 0.6.16 or higher.	[,0.6.16)

Go back to all versions of this package