6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-3988

GHSA ID

GHSA-r735-9gc6-2hvq

EPSS Score

0.15964%

CWE

CWE-79

Published

11/15/2024

Updated

11/19/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-3988

CVE-2021-3988: Cross-site Scripting (XSS) - DOM in janeczku/calibre-web

A Cross-site Scripting (XSS) vulnerability exists in janeczku/calibre-web, specifically in the file edit_books.js. The vulnerability occurs when editing book properties, such as uploading a cover or a format. The affected code directly inserts user input into the DOM without proper sanitization, allowing attackers to execute arbitrary JavaScript code. This can lead to various attacks, including stealing cookies. The issue is present in the code handling the #btn-upload-cover change event.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-3988

GHSA ID

GHSA-r735-9gc6-2hvq

EPSS Score

0.15964%

CWE

CWE-79

Published

11/15/2024

Updated

11/19/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
calibreweb	pip	< 0.6.15	0.6.15

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The patch modifies the event handlers for #btn-upload-format and #btn-upload-cover change events to prevent XSS by using .text() instead of .html(). This indicates the code within these event handlers was vulnerable. Since these are anonymous functions, they don't have a specific name, but they are the primary points of vulnerability.

Vulnerable functions

cps/static/js/edit_books.js

The anonymous functions handling the change events for #btn-upload-format and #btn-upload-cover were directly inserting user input into the DOM using .html(), making them vulnerable to XSS. The fix involves using .text() to sanitize the input.

WAF Protection Rules

WAF Rule

* *ross-sit* S*riptin* (XSS) vuln*r**ility *xists in j*n**zku/**li*r*-w**, sp**i*i**lly in t** *il* `**it_*ooks.js`. T** vuln*r**ility o**urs w**n **itin* *ook prop*rti*s, su** *s uplo**in* * *ov*r or * *orm*t. T** *****t** *o** *ir**tly ins*rts us*r

Reasoning

T** p*t** mo*i*i*s t** *v*nt **n*l*rs *or #*tn-uplo**-*orm*t *n* #*tn-uplo**-*ov*r ***n** *v*nts to pr*v*nt XSS *y usin* `.t*xt()` inst*** o* `.*tml()`. T*is in*i**t*s t** *o** wit*in t**s* *v*nt **n*l*rs w*s vuln*r**l*. Sin** t**s* *r* *nonymous *un

6.1

Basic Information

Concerned about an active attack path?

CVE-2021-3988: Cross-site Scripting (XSS) - DOM in janeczku/calibre-web

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI