CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0352 – Cross-site Scripting (XSS) - Reflected in janeczku/calibre-web
https://notcve.org/view.php?id=CVE-2022-0352
28 Jan 2022 — Cross-site Scripting (XSS) - Reflected in Pypi calibreweb prior to 0.6.16. Una vulnerabilidad de tipo Cross-site Scripting (XSS) - Reflejado en Pypi calibreweb versiones anteriores a 0.6.16 • https://github.com/janeczku/calibre-web/commit/6bf07539788004513c3692c074ebc7ba4ce005e1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-4164 – Cross-Site Request Forgery (CSRF) in janeczku/calibre-web
https://notcve.org/view.php?id=CVE-2021-4164
17 Jan 2022 — calibre-web is vulnerable to Cross-Site Request Forgery (CSRF) calibre-web es vulnerable a un ataque de tipo Cross-Site Request Forgery (CSRF) • https://github.com/janeczku/calibre-web/commit/785726deee13b4d56f6c3503dd57c1e3eb7d6f30 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-4171 – Business Logic Errors in janeczku/calibre-web
https://notcve.org/view.php?id=CVE-2021-4171
17 Jan 2022 — calibre-web is vulnerable to Business Logic Errors calibre-web es vulnerable a Errores de Lógica Empresarial • https://github.com/janeczku/calibre-web/commit/3e0d8763c377d2146462811e3e4ccf13f0d312ce • CWE-840: Business Logic Errors •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 1CVE-2021-4170 – Cross-site Scripting (XSS) - Stored in janeczku/calibre-web
https://notcve.org/view.php?id=CVE-2021-4170
16 Jan 2022 — calibre-web is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') calibre-web es vulnerable a una Neutralización Inapropiada de Entradas Durante la Generación de Páginas Web ("Cross-site Scripting") • https://github.com/janeczku/calibre-web/commit/7ad419dc8c12180e842a82118f4866ac3d074bc5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25965 – Calibre-web - Admin Account Takeover via Cross-Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2021-25965
16 Nov 2021 — In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credentials, allowing them to take over the application. En Calibre-web, versiones 0.6.0 a 0.6.13, son vulnerables a un ataque de tipo Cross-Site Request Forgery (CSRF). Al atraer a un usuario autenticado para que haga clic en un enlace, un atacante puede crear un nuevo rol de usu... • https://github.com/janeczku/calibre-web/commit/50919d47212066c75f03ee7a5332ecf2d584b98e • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25964 – Stored Cross-Site Scripting (XSS) in Calibre-web via Description Field in Metadata
https://notcve.org/view.php?id=CVE-2021-25964
04 Oct 2021 — In “Calibre-web” application, v0.6.0 to v0.6.12, are vulnerable to Stored XSS in “Metadata”. An attacker that has access to edit the metadata information, can inject JavaScript payload in the description field. When a victim tries to open the file, XSS will be triggered. En la aplicación "Calibre-web", versiones v0.6.0 a v0.6.12, son vulnerables a un ataque de tipo XSS almacenado en "Metadata". Un atacante que tenga acceso a editar la información de los metadatos, puede inyectar una carga útil de JavaScript... • https://github.com/janeczku/calibre-web/commit/32e27712f0f71fdec646add20cd78b4ce75acfce • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-12627
https://notcve.org/view.php?id=CVE-2020-12627
04 May 2020 — Calibre-Web 0.6.6 allows authentication bypass because of the 'A0Zr98j/3yX R~XHH!jmN]LWX/,?RT' hardcoded secret key. Calibre-Web versión 0.6.6, permite una omisión de autenticación debido a la clave secreta embebida "A0Zr98j/3yX R~XHH!jmN]LWX/,? • https://github.com/janeczku/calibre-web/pull/1337 • CWE-798: Use of Hard-coded Credentials •