CVE-2021-25964

Name of the Vulnerable Software and Affected Versions Calibre-web versions 0.6.0 through 0.6.12

Description The issue concerns a Stored XSS in the "Metadata" of the Calibre-web application. An attacker with access to edit metadata information can inject a JavaScript payload in the description field. When a victim attempts to open the file, the XSS is triggered, allowing the attacker to execute malicious scripts.

Recommendations For versions 0.6.0 through 0.6.12, as a temporary workaround, consider restricting access to editing metadata information until a patch is available. Avoid using the description field in the metadata for any sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.