CVE-2024-35236

Name of the Vulnerable Software and Affected Versions Audiobookshelf versions prior to 2.10.0

Description Audiobookshelf is a self-hosted audiobook and podcast server. Opening an ebook with malicious scripts inside can lead to code execution inside the browsing context. If a user with high privileges, such as upload or library creation capabilities, is attacked, it can result in remote code execution (RCE) in the worst case. This issue is not limited to a specific operating system, as an arbitrary file write is powerful enough to potentially lead to RCE on various platforms, including Linux.

Recommendations For versions prior to 2.10.0, update to version 2.10.0 to resolve the issue. As a temporary workaround, consider restricting user privileges, especially those related to upload and library creation, to minimize the risk of exploitation. Additionally, avoid opening ebooks from untrusted sources to reduce the risk of code execution.