π¨ CVE-2024-9830
The Bard theme for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.216. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
π@cveNotify
The Bard theme for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.216. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
π@cveNotify
π¨ CVE-2020-12627
Calibre-Web 0.6.6 allows authentication bypass because of the 'A0Zr98j/3yX R~XHH!jmN]LWX/,?RT' hardcoded secret key.
π@cveNotify
Calibre-Web 0.6.6 allows authentication bypass because of the 'A0Zr98j/3yX R~XHH!jmN]LWX/,?RT' hardcoded secret key.
π@cveNotify
GitHub
Don't use an hardcoded session key by jvoisin Β· Pull Request #1337 Β· janeczku/calibre-web
This fixes a trivial authentication bypass,
according to https://flask.palletsprojects.com/en/1.1.x/quickstart/#sessions
according to https://flask.palletsprojects.com/en/1.1.x/quickstart/#sessions
π¨ CVE-2021-25964
In βCalibre-webβ application, v0.6.0 to v0.6.12, are vulnerable to Stored XSS in βMetadataβ. An attacker that has access to edit the metadata information, can inject JavaScript payload in the description field. When a victim tries to open the file, XSS will be triggered.
π@cveNotify
In βCalibre-webβ application, v0.6.0 to v0.6.12, are vulnerable to Stored XSS in βMetadataβ. An attacker that has access to edit the metadata information, can inject JavaScript payload in the description field. When a victim tries to open the file, XSS will be triggered.
π@cveNotify
GitHub
Added lxml to needed requirements Β· janeczku/calibre-web@32e2771
Improved displaying of series title, book of series, comments and custom comments
π1
π¨ CVE-2021-25965
In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credentials, allowing them to take over the application.
π@cveNotify
In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credentials, allowing them to take over the application.
π@cveNotify
GitHub
Added handling for missing flask-wtf dependency Β· janeczku/calibre-web@50919d4
Added CSRF protection (via flask-wtf)
Moved upload function to js file
Fixed error page in case of csrf failure
Moved upload function to js file
Fixed error page in case of csrf failure
π¨ CVE-2021-4170
calibre-web is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
π@cveNotify
calibre-web is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
π@cveNotify
GitHub
Fix upload of cover and book formats containing html characters Β· janeczku/calibre-web@7ad419d
:books: Web app for browsing, reading and downloading eBooks stored in a Calibre database - Fix upload of cover and book formats containing html characters Β· janeczku/calibre-web@7ad419d
π¨ CVE-2022-0352
Cross-site Scripting (XSS) - Reflected in Pypi calibreweb prior to 0.6.16.
π@cveNotify
Cross-site Scripting (XSS) - Reflected in Pypi calibreweb prior to 0.6.16.
π@cveNotify
GitHub
Prevent wrong use of safe statement Β· janeczku/calibre-web@6bf0753
:books: Web app for browsing, reading and downloading eBooks stored in a Calibre database - Prevent wrong use of safe statement Β· janeczku/calibre-web@6bf0753
π¨ CVE-2022-0339
Server-Side Request Forgery (SSRF) in Pypi calibreweb prior to 0.6.16.
π@cveNotify
Server-Side Request Forgery (SSRF) in Pypi calibreweb prior to 0.6.16.
π@cveNotify
GitHub
Kobo sync token is now also created if accessed from localhost(fixes β¦ Β· janeczku/calibre-web@3b216bf
β¦#1990)
Create kobo sync token button is now "unclicked" after closing dialog
Additional localhost route is catched
If book format is deleted this also deletes the book synced to...
Create kobo sync token button is now "unclicked" after closing dialog
Additional localhost route is catched
If book format is deleted this also deletes the book synced to...
π¨ CVE-2022-0766
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.
π@cveNotify
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.
π@cveNotify
GitHub
Don't allow redirects on cover uploads, catch more addresses which re⦠· janeczku/calibre-web@965352c
β¦solve to localhost
π¨ CVE-2022-0767
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.
π@cveNotify
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.
π@cveNotify
GitHub
Don't allow redirects on cover uploads, catch more addresses which re⦠· janeczku/calibre-web@965352c
β¦solve to localhost
π¨ CVE-2022-0405
Improper Access Control in GitHub repository janeczku/calibre-web prior to 0.6.16.
π@cveNotify
Improper Access Control in GitHub repository janeczku/calibre-web prior to 0.6.16.
π@cveNotify
GitHub
Kobo sync token is now also created if accessed from localhost(fixes β¦ Β· janeczku/calibre-web@3b216bf
β¦#1990)
Create kobo sync token button is now "unclicked" after closing dialog
Additional localhost route is catched
If book format is deleted this also deletes the book synced to...
Create kobo sync token button is now "unclicked" after closing dialog
Additional localhost route is catched
If book format is deleted this also deletes the book synced to...
π¨ CVE-2022-0406
Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16.
π@cveNotify
Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16.
π@cveNotify
GitHub
Upates for new release Β· janeczku/calibre-web@e0e0422
:books: Web app for browsing, reading and downloading eBooks stored in a Calibre database - Upates for new release Β· janeczku/calibre-web@e0e0422
π¨ CVE-2022-0939
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.
π@cveNotify
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.
π@cveNotify
GitHub
Better epub cover parsing with multiple cover-image items Β· janeczku/calibre-web@4545f4a
Code cosmetics
renamed variables
refactored xml page generation
refactored prepare author
renamed variables
refactored xml page generation
refactored prepare author
π¨ CVE-2022-0990
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.
π@cveNotify
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.
π@cveNotify
GitHub
Better epub cover parsing with multiple cover-image items Β· janeczku/calibre-web@4545f4a
Code cosmetics
renamed variables
refactored xml page generation
refactored prepare author
renamed variables
refactored xml page generation
refactored prepare author
π¨ CVE-2022-2525
Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20.
π@cveNotify
Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20.
π@cveNotify
GitHub
** Be careful, after updating, there is no way back ** Β· janeczku/calibre-web@49e4f54
** Please install flask-limiter after updating **
Update Teststatus
Bugfix after merge
Bugfix generate Metadata backup
Update Teststatus
Bugfix after merge
Bugfix generate Metadata backup
π¨ CVE-2023-2106
Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20.
π@cveNotify
Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20.
π@cveNotify
GitHub
** Be careful, after updating, there is no way back ** Β· janeczku/calibre-web@49e4f54
** Please install flask-limiter after updating **
Update Teststatus
Bugfix after merge
Bugfix generate Metadata backup
Update Teststatus
Bugfix after merge
Bugfix generate Metadata backup
π¨ CVE-2024-44206
An issue in the handling of URL protocols was addressed with improved logic. This issue is fixed in tvOS 17.6, visionOS 1.3, Safari 17.6, watchOS 10.6, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. A user may be able to bypass some web content restrictions.
π@cveNotify
An issue in the handling of URL protocols was addressed with improved logic. This issue is fixed in tvOS 17.6, visionOS 1.3, Safari 17.6, watchOS 10.6, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. A user may be able to bypass some web content restrictions.
π@cveNotify
Apple Support
About the security content of iOS 17.6 and iPadOS 17.6 - Apple Support
This document describes the security content of iOS 17.6 and iPadOS 17.6.
π¨ CVE-2024-23715
In PMRWritePMPageList of pmr.c, there is a possible out of bounds write due to a logic error in the code. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.
π@cveNotify
In PMRWritePMPageList of pmr.c, there is a possible out of bounds write due to a logic error in the code. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.
π@cveNotify