calibreweb@0.6.15 vulnerabilities

calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database.

Affected versions of this package are vulnerable to Weak Password Requirements due to missing rate limits in the login functionality.

Upgrade calibreweb to version 0.6.20 or higher.

calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database.

Affected versions of this package are vulnerable to Brute Force due to missing rate limiting in login form.

Upgrade calibreweb to version 0.6.20 or higher.

calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database.

Affected versions of this package are vulnerable to SQL Injection in the user table.

Upgrade calibreweb to version 0.6.18 or higher.

calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to improper fix of CVE-2022-0767 and CVE-2022-0766 which only address loopback/localhost IP addresses which can allow attacker to access internal endpoints.

Upgrade calibreweb to version 0.6.18 or higher.

calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database.

Affected versions of this package are vulnerable to Improper Access Control due to improper HTML rendering, when the user doesn't have view permissions to read the name of a private shelf, the server continues to render the HTML containing shelf.name instead of showing error messages and redirect. Exploiting this vulnerability leads to disclosing the name of the private shelf.

Upgrade calibreweb to version 0.6.16 or higher.

calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to improper fix CVE-2022-0767, which makes it possible to be bypassed via the IPV4/IPV4 embedding.

Upgrade calibreweb to version 0.6.18 or higher.

calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to an incomplete SSRF protection that can be bypassed via an HTTP redirect. An HTTP server that is set up to respond with a 302 redirect may redirect a request to localhost.

Upgrade calibreweb to version 0.6.17 or higher.

calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to an incomplete fix for CVE-2022-0339. The blacklist does not check for 0.0.0.0, which would result in a payload of 0.0.0.0 resolving to localhost.

Upgrade calibreweb to version 0.6.17 or higher.

calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database.

Affected versions of this package are vulnerable to Improper Access Control. This is caused because low-level users can create a new shelf with public mode.

Upgrade calibreweb to version 0.6.16 or higher.

calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to missing sanitization of safe statement.

Upgrade calibreweb to version 0.6.16 or higher.

calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to missing sanitization of Fetch Cover from URL field, which makes it possible to point to a malicious server instead of an external URL.

Upgrade calibreweb to version 0.6.16 or higher.