CVE-2024-39123: Calibre-Web Cross Site Scripting (XSS)

July 19, 2024

In janeczku Calibre-Web 0.6.0 to 0.6.21, the edit_book_comments function is vulnerable to Cross Site Scripting (XSS) due to improper sanitization performed by the clean_string function. The vulnerability arises from the way the clean_string function handles HTML sanitization.

References

github.com/advisories/GHSA-j22r-3rf3-cv25
github.com/janeczku/calibre-web
github.com/pentesttoolscom/vulnerability-research/tree/master/CVE-2024-39123
nvd.nist.gov/vuln/detail/CVE-2024-39123

Code Behaviors & Features

Detect and mitigate CVE-2024-39123 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →