| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login. This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1. |
| In janeczku Calibre-Web 0.6.0 to 0.6.21, the edit_book_comments function is vulnerable to Cross Site Scripting (XSS) due to improper sanitization performed by the clean_string function. The vulnerability arises from the way the clean_string function handles HTML sanitization. |
| In “Calibre-web” application, v0.6.0 to v0.6.12, are vulnerable to Stored XSS in “Metadata”. An attacker that has access to edit the metadata information, can inject JavaScript payload in the description field. When a victim tries to open the file, XSS will be triggered. |
| In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credentials, allowing them to take over the application. |
| Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20. |
| Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20. |
| Calibre-Web before 0.6.18 allows user table SQL Injection. |
| Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18. |
| Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18. |
| Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17. |
| Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17. |
| Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16. |
| Improper Access Control in GitHub repository janeczku/calibre-web prior to 0.6.16. |
| Cross-site Scripting (XSS) - Reflected in Pypi calibreweb prior to 0.6.16. |
| Server-Side Request Forgery (SSRF) in Pypi calibreweb prior to 0.6.16. |
| Improper Access Control in Pypi calibreweb prior to 0.6.16. |
| calibre-web is vulnerable to Business Logic Errors |
| calibre-web is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| calibre-web is vulnerable to Cross-Site Request Forgery (CSRF) |
| Calibre-Web 0.6.6 allows authentication bypass because of the 'A0Zr98j/3yX R~XHH!jmN]LWX/,?RT' hardcoded secret key. |
