CVE-2021-3988

Name of the Vulnerable Software and Affected Versions janeczku/calibre-web (affected versions not specified)

Description A Cross-site Scripting (XSS) issue exists, specifically in the file edit books.js, when editing book properties, such as uploading a cover or a format. The affected code directly inserts user input into the DOM without proper sanitization, allowing attackers to execute arbitrary JavaScript code. This can lead to various attacks, including stealing cookies. The issue is present in the code handling the #btn-upload-cover change event.

Recommendations As a temporary workaround, consider disabling the editing of book properties, such as uploading covers or formats, until a patch is available. Restrict access to the edit books.js file to minimize the risk of exploitation. Avoid using the #btn-upload-cover change event in the affected code until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.