calibreweb@0.6.25 vulnerabilities

Web app for browsing, reading and downloading eBooks stored in a Calibre database.

latest version

0.6.25

first published

4 years ago

latest version published

19 days ago

licenses detected

GPL-3.0
[0,)

View calibreweb package health on Snyk Advisor (opens in a new tab)

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the calibreweb package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Command Injection calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database. Affected versions of this package are vulnerable to Command Injection via the `/admin/ajaxconfig` endpoint that fails to properly neutralise special elements used in operating system commands. An attacker with administrator user access can execute commands such as `/sbin/reboot` to force a system restart or launch /bin/bash in interactive mode if the process is connected to a terminal. How to fix Command Injection? There is no fixed version for `calibreweb`.	[0,)
M Regular Expression Denial of Service (ReDoS) calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `strip_whitespaces` function in `cps/string_helper.py` file. An attacker can cause the application to become unresponsive by submitting a specially crafted `username` parameter during the login process, which triggers excessive backtracking in the regular expression engine. How to fix Regular Expression Denial of Service (ReDoS)? There is no fixed version for `calibreweb`.	[0,)

Command Injection

calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database.

Affected versions of this package are vulnerable to Command Injection via the /admin/ajaxconfig endpoint that fails to properly neutralise special elements used in operating system commands. An attacker with administrator user access can execute commands such as /sbin/reboot to force a system restart or launch /bin/bash in interactive mode if the process is connected to a terminal.

How to fix Command Injection?

There is no fixed version for calibreweb.

[0,)

Regular Expression Denial of Service (ReDoS)

calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the strip_whitespaces function in cps/string_helper.py file. An attacker can cause the application to become unresponsive by submitting a specially crafted username parameter during the login process, which triggers excessive backtracking in the regular expression engine.

How to fix Regular Expression Denial of Service (ReDoS)?

There is no fixed version for calibreweb.

[0,)

Go back to all versions of this package