CVE-2021-3986
published 2024-11-15CVE-2021-3986: A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. This issue occurs in the file…
PriorityP418medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.36%
27.7th percentile
A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. This issue occurs in the file shelf.py at line 221, where the name of the shelf is exposed in an error message when a user attempts to remove a book from a shelf they do not own. This vulnerability discloses private information and affects all versions prior to the fix.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| calibreweb | calibreweb | >= 0 < 0.6.15 | 0.6.15 |
| janeczku | calibre-web | < 0.6.15 | 0.6.15 |
| janeczku | janeczku_calibre-web | unspecified – latest | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv3.04.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Generation of Error Message Containing Sensitive Information in janeczku/calibre-web
osv·2024-11-15
CVE-2021-3986 [MEDIUM] Generation of Error Message Containing Sensitive Information in janeczku/calibre-web
Generation of Error Message Containing Sensitive Information in janeczku/calibre-web
A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. This issue occurs in the file shelf.py at line 221, where the name of the shelf is exposed in an error message when a user attempts to remove a book from a shelf they do not own. This vulnerability discloses private information and affects all versions prior to the fix.
GHSA
Generation of Error Message Containing Sensitive Information in janeczku/calibre-web
ghsa·2024-11-15
CVE-2021-3986 [MEDIUM] CWE-209 Generation of Error Message Containing Sensitive Information in janeczku/calibre-web
Generation of Error Message Containing Sensitive Information in janeczku/calibre-web
A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. This issue occurs in the file shelf.py at line 221, where the name of the shelf is exposed in an error message when a user attempts to remove a book from a shelf they do not own. This vulnerability discloses private information and affects all versions prior to the fix.
Red Hat
php: SSRF bypass in FILTER_VALIDATE_URL
vendor_redhat·2021-07-01·CVSS 4.3
CVE-2021-21705 [MEDIUM] CWE-918 php: SSRF bypass in FILTER_VALIDATE_URL
php: SSRF bypass in FILTER_VALIDATE_URL
In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision.
A flaw was found in php. Currently, php's FILTER_VALIDATE_URL check doesn't recognize some non-compliant RFC 3986 URLs and returns them as valid. This flaw allows an attacker to craft URLs, which depending on how the URL filter checking is used on the application side, lead to Server Side Request Forgery. This issue presents an integrity
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-11-15
Published