Page 4 of 17 results (0.005 seconds)

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

CVE-2021-25964 – Stored Cross-Site Scripting (XSS) in Calibre-web via Description Field in Metadata

https://notcve.org/view.php?id=CVE-2021-25964

In “Calibre-web” application, v0.6.0 to v0.6.12, are vulnerable to Stored XSS in “Metadata”. An attacker that has access to edit the metadata information, can inject JavaScript payload in the description field. When a victim tries to open the file, XSS will be triggered. En la aplicación "Calibre-web", versiones v0.6.0 a v0.6.12, son vulnerables a un ataque de tipo XSS almacenado en "Metadata". Un atacante que tenga acceso a editar la información de los metadatos, puede inyectar una carga útil de JavaScript en el campo description. • https://github.com/janeczku/calibre-web/commit/32e27712f0f71fdec646add20cd78b4ce75acfce https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25964 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

CVE-2020-12627

https://notcve.org/view.php?id=CVE-2020-12627

Calibre-Web 0.6.6 allows authentication bypass because of the 'A0Zr98j/3yX R~XHH!jmN]LWX/,?RT' hardcoded secret key. Calibre-Web versión 0.6.6, permite una omisión de autenticación debido a la clave secreta embebida "A0Zr98j/3yX R~XHH!jmN]LWX/,? • https://github.com/janeczku/calibre-web/pull/1337 • CWE-798: Use of Hard-coded Credentials •