CVE-2021-44686
https://notcve.org/view.php?id=CVE-2021-44686
calibre before 5.32.0 contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service) in html_preprocess_rules in ebooks/conversion/preprocess.py. calibre versiones anteriores a 5.32.0, contiene una expresión regular que es vulnerable a ReDoS (denegación de servicio por expresión regular) en html_preprocess_rules en el archivo ebooks/conversion/preprocess.py • https://bugs.launchpad.net/calibre/+bug/1951979 https://github.com/dwisiswant0/advisory/issues/18 https://github.com/kovidgoyal/calibre/compare/v5.31.1...v5.32.0 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W7QKFPYJ23KG6WJ5NIYAM4N2NWZCLQGL • CWE-400: Uncontrolled Resource Consumption •
CVE-2021-25965 – Calibre-web - Admin Account Takeover via Cross-Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2021-25965
In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credentials, allowing them to take over the application. En Calibre-web, versiones 0.6.0 a 0.6.13, son vulnerables a un ataque de tipo Cross-Site Request Forgery (CSRF). Al atraer a un usuario autenticado para que haga clic en un enlace, un atacante puede crear un nuevo rol de usuario con privilegios de administrador y credenciales controladas por el atacante, permitiéndole tomar el control de la aplicación • https://github.com/janeczku/calibre-web/commit/50919d47212066c75f03ee7a5332ecf2d584b98e https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25965 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2011-4126
https://notcve.org/view.php?id=CVE-2011-4126
Race condition issues were found in Calibre at devices/linux_mount_helper.c allowing unprivileged users the ability to mount any device to anywhere. Se encontraron problemas de condiciones de carrera en Calibre en el archivo devices/linux_mount_helper.c, permitiendo a usuarios no privilegiados la posibilidad de montar cualquier dispositivo en cualquier lugar • https://bugs.launchpad.net/calibre/+bug/885027 https://git.zx2c4.com/calibre-mount-helper-exploit/about https://lwn.net/Articles/464824 https://www.openwall.com/lists/oss-security/2011/11/02/2 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVE-2011-4125
https://notcve.org/view.php?id=CVE-2011-4125
A untrusted search path issue was found in Calibre at devices/linux_mount_helper.c leading to the ability of unprivileged users to execute any program as root. Se encontró un problema de ruta de búsqueda no confiable en Calibre en el archivo devices/linux_mount_helper.c, conllevando a la posibilidad de que usuarios no privilegiados ejecutaran cualquier programa como root • https://bugs.launchpad.net/calibre/+bug/885027 https://git.zx2c4.com/calibre-mount-helper-exploit/about https://lwn.net/Articles/464824 https://www.openwall.com/lists/oss-security/2011/11/02/2 • CWE-426: Untrusted Search Path •
CVE-2011-4124
https://notcve.org/view.php?id=CVE-2011-4124
Input validation issues were found in Calibre at devices/linux_mount_helper.c which can lead to argument injection and elevation of privileges. Se han encontrado problemas de comprobación de entrada en Calibre en el archivo devices/linux_mount_helper.c que pueden conllevar a una inyección de argumentos y elevación de privilegios • https://bugs.launchpad.net/calibre/+bug/885027 https://git.zx2c4.com/calibre-mount-helper-exploit/about https://lwn.net/Articles/464824 https://www.openwall.com/lists/oss-security/2011/11/02/2 • CWE-20: Improper Input Validation •