CVE-2021-3986

Name of the Vulnerable Software and Affected Versions janeczku/calibre-web versions prior to the fix

Description A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. This issue occurs in the file shelf.py at line 221, where the name of the shelf is exposed in an error message when a user attempts to remove a book from a shelf they do not own. This vulnerability discloses private information.

Recommendations Update to the latest release to mitigate risks. As a temporary workaround, consider modifying the shelf.py file to prevent the exposure of private shelf names in error messages. Restrict access to the shelf.py file to minimize the risk of exploitation.