π¨ CVE-2021-25964
In βCalibre-webβ application, v0.6.0 to v0.6.12, are vulnerable to Stored XSS in βMetadataβ. An attacker that has access to edit the metadata information, can inject JavaScript payload in the description field. When a victim tries to open the file, XSS will be triggered.
π@cveNotify
In βCalibre-webβ application, v0.6.0 to v0.6.12, are vulnerable to Stored XSS in βMetadataβ. An attacker that has access to edit the metadata information, can inject JavaScript payload in the description field. When a victim tries to open the file, XSS will be triggered.
π@cveNotify
GitHub
Added lxml to needed requirements Β· janeczku/calibre-web@32e2771
Improved displaying of series title, book of series, comments and custom comments
π1
π¨ CVE-2021-25965
In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credentials, allowing them to take over the application.
π@cveNotify
In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credentials, allowing them to take over the application.
π@cveNotify
GitHub
Added handling for missing flask-wtf dependency Β· janeczku/calibre-web@50919d4
Added CSRF protection (via flask-wtf)
Moved upload function to js file
Fixed error page in case of csrf failure
Moved upload function to js file
Fixed error page in case of csrf failure
π¨ CVE-2021-4170
calibre-web is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
π@cveNotify
calibre-web is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
π@cveNotify
GitHub
Fix upload of cover and book formats containing html characters Β· janeczku/calibre-web@7ad419d
:books: Web app for browsing, reading and downloading eBooks stored in a Calibre database - Fix upload of cover and book formats containing html characters Β· janeczku/calibre-web@7ad419d
π¨ CVE-2022-0352
Cross-site Scripting (XSS) - Reflected in Pypi calibreweb prior to 0.6.16.
π@cveNotify
Cross-site Scripting (XSS) - Reflected in Pypi calibreweb prior to 0.6.16.
π@cveNotify
GitHub
Prevent wrong use of safe statement Β· janeczku/calibre-web@6bf0753
:books: Web app for browsing, reading and downloading eBooks stored in a Calibre database - Prevent wrong use of safe statement Β· janeczku/calibre-web@6bf0753
π¨ CVE-2022-0339
Server-Side Request Forgery (SSRF) in Pypi calibreweb prior to 0.6.16.
π@cveNotify
Server-Side Request Forgery (SSRF) in Pypi calibreweb prior to 0.6.16.
π@cveNotify
GitHub
Kobo sync token is now also created if accessed from localhost(fixes β¦ Β· janeczku/calibre-web@3b216bf
β¦#1990)
Create kobo sync token button is now "unclicked" after closing dialog
Additional localhost route is catched
If book format is deleted this also deletes the book synced to...
Create kobo sync token button is now "unclicked" after closing dialog
Additional localhost route is catched
If book format is deleted this also deletes the book synced to...
π¨ CVE-2022-0766
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.
π@cveNotify
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.
π@cveNotify
GitHub
Don't allow redirects on cover uploads, catch more addresses which re⦠· janeczku/calibre-web@965352c
β¦solve to localhost
π¨ CVE-2022-0767
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.
π@cveNotify
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.
π@cveNotify
GitHub
Don't allow redirects on cover uploads, catch more addresses which re⦠· janeczku/calibre-web@965352c
β¦solve to localhost
π¨ CVE-2022-0405
Improper Access Control in GitHub repository janeczku/calibre-web prior to 0.6.16.
π@cveNotify
Improper Access Control in GitHub repository janeczku/calibre-web prior to 0.6.16.
π@cveNotify
GitHub
Kobo sync token is now also created if accessed from localhost(fixes β¦ Β· janeczku/calibre-web@3b216bf
β¦#1990)
Create kobo sync token button is now "unclicked" after closing dialog
Additional localhost route is catched
If book format is deleted this also deletes the book synced to...
Create kobo sync token button is now "unclicked" after closing dialog
Additional localhost route is catched
If book format is deleted this also deletes the book synced to...
π¨ CVE-2022-0406
Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16.
π@cveNotify
Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16.
π@cveNotify
GitHub
Upates for new release Β· janeczku/calibre-web@e0e0422
:books: Web app for browsing, reading and downloading eBooks stored in a Calibre database - Upates for new release Β· janeczku/calibre-web@e0e0422
π¨ CVE-2022-0939
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.
π@cveNotify
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.
π@cveNotify
GitHub
Better epub cover parsing with multiple cover-image items Β· janeczku/calibre-web@4545f4a
Code cosmetics
renamed variables
refactored xml page generation
refactored prepare author
renamed variables
refactored xml page generation
refactored prepare author
π¨ CVE-2022-0990
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.
π@cveNotify
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.
π@cveNotify
GitHub
Better epub cover parsing with multiple cover-image items Β· janeczku/calibre-web@4545f4a
Code cosmetics
renamed variables
refactored xml page generation
refactored prepare author
renamed variables
refactored xml page generation
refactored prepare author
π¨ CVE-2022-2525
Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20.
π@cveNotify
Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20.
π@cveNotify
GitHub
** Be careful, after updating, there is no way back ** Β· janeczku/calibre-web@49e4f54
** Please install flask-limiter after updating **
Update Teststatus
Bugfix after merge
Bugfix generate Metadata backup
Update Teststatus
Bugfix after merge
Bugfix generate Metadata backup
π¨ CVE-2023-2106
Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20.
π@cveNotify
Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20.
π@cveNotify
GitHub
** Be careful, after updating, there is no way back ** Β· janeczku/calibre-web@49e4f54
** Please install flask-limiter after updating **
Update Teststatus
Bugfix after merge
Bugfix generate Metadata backup
Update Teststatus
Bugfix after merge
Bugfix generate Metadata backup
π¨ CVE-2024-44206
An issue in the handling of URL protocols was addressed with improved logic. This issue is fixed in tvOS 17.6, visionOS 1.3, Safari 17.6, watchOS 10.6, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. A user may be able to bypass some web content restrictions.
π@cveNotify
An issue in the handling of URL protocols was addressed with improved logic. This issue is fixed in tvOS 17.6, visionOS 1.3, Safari 17.6, watchOS 10.6, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. A user may be able to bypass some web content restrictions.
π@cveNotify
Apple Support
About the security content of iOS 17.6 and iPadOS 17.6 - Apple Support
This document describes the security content of iOS 17.6 and iPadOS 17.6.
π¨ CVE-2024-23715
In PMRWritePMPageList of pmr.c, there is a possible out of bounds write due to a logic error in the code. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.
π@cveNotify
In PMRWritePMPageList of pmr.c, there is a possible out of bounds write due to a logic error in the code. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.
π@cveNotify
π¨ CVE-2022-31667
Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesnβt have access to.
By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesnβt have access to, it was possible to revoke the robot account permissions.
π@cveNotify
Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesnβt have access to.
By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesnβt have access to, it was possible to revoke the robot account permissions.
π@cveNotify
GitHub
Harbor fails to validate the user permissions when updating a robot account
### Impact
Harbor fails to validate the user permissions when updating a robot account that
belongs to a project that the authenticated user doesnβt have access to. API call:
PUT /robots/{robo...
Harbor fails to validate the user permissions when updating a robot account that
belongs to a project that the authenticated user doesnβt have access to. API call:
PUT /robots/{robo...
π¨ CVE-2022-31668
Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.
π@cveNotify
Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.
π@cveNotify
GitHub
Harbor fails to validate the user permissions when updating p2p preheat policies
### Impact
Harbor fails to validate the user permissions when updating p2p preheat policies - API call
PUT /projects/{project_name}/preheat/policies/{preheat_policy_name}
By sending a req...
Harbor fails to validate the user permissions when updating p2p preheat policies - API call
PUT /projects/{project_name}/preheat/policies/{preheat_policy_name}
By sending a req...