CVE-2024-6782 – Calibre Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-6782
Improper access control in Calibre 6.9.0 ~ 7.14.0 allow unauthenticated attackers to achieve remote code execution. El control de acceso inadecuado en Calibre 6.9.0 ~ 7.14.0 permite a atacantes no autenticados lograr la ejecución remota de código. • https://github.com/Uno13x/CVE-2024-6782-PoC https://github.com/zangjiahe/CVE-2024-6782 https://github.com/jdpsl/CVE-2024-6782 https://github.com/R4idB0Y/CVE-2024-6782-PoC https://github.com/0xB0y426/CVE-2024-6782-PoC https://github.com/kovidgoyal/calibre/commit/38a1bf50d8cd22052ae59c513816706c6445d5e9 https://starlabs.sg/advisories/24/24-6782 • CWE-863: Incorrect Authorization •
CVE-2024-6781 – Calibre Arbitrary File Read
https://notcve.org/view.php?id=CVE-2024-6781
Path traversal in Calibre <= 7.14.0 allow unauthenticated attackers to achieve arbitrary file read. El path traversal en Calibre <= 7.14.0 permite a atacantes no autenticados lograr lecturas de archivos arbitrarias. • https://github.com/kovidgoyal/calibre/commit/bcd0ab12c41a887f8290a9b56e46c3a29038d9c4 https://starlabs.sg/advisories/24/24-6781 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2023-46303
https://notcve.org/view.php?id=CVE-2023-46303
link_to_local_path in ebooks/conversion/plugins/html_input.py in calibre before 6.19.0 can, by default, add resources outside of the document root. link_to_local_path en ebooks/conversion/plugins/html_input.py en calibre anterior a 6.19.0 puede, de forma predeterminada, agregar recursos fuera del root del documento. • https://github.com/0x1717/ssrf-via-img https://github.com/kovidgoyal/calibre/compare/v6.18.1...v6.19.0 • CWE-918: Server-Side Request Forgery (SSRF) •