CVE-2024-7008
published 2024-08-06CVE-2024-7008: Unsanitized user-input in Calibre <= 7.15.0 allow attackers to perform reflected cross-site scripting.
PriorityP346medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
24.06%
97.6th percentile
Unsanitized user-input in Calibre <= 7.15.0 allow attackers to perform reflected cross-site scripting.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| calibre-ebook | calibre | <= 7.15.0 | — |
| calibre | calibre | — | — |
| calibre | calibre | >= 0 < 5.12.0+dfsg-1+deb11u2 | 5.12.0+dfsg-1+deb11u2 |
| calibre | calibre | >= 0 < 6.13.0+repack-2+deb12u4 | 6.13.0+repack-2+deb12u4 |
| calibre | calibre | >= 0 < 7.16.0+ds-1 | 7.16.0+ds-1 |
| calibre | calibre | >= 0 < 7.16.0+ds-1 | 7.16.0+ds-1 |
| debian | calibre | < calibre 6.13.0+repack-2+deb12u4 (bookworm) | calibre 6.13.0+repack-2+deb12u4 (bookworm) |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
vendor_debian5.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2024-7008: calibre - Unsanitized user-input in Calibre <= 7.15.0 allow attackers to perform reflected...
vendor_debian·2024·CVSS 5.4
CVE-2024-7008 [MEDIUM] CVE-2024-7008: calibre - Unsanitized user-input in Calibre <= 7.15.0 allow attackers to perform reflected...
Unsanitized user-input in Calibre <= 7.15.0 allow attackers to perform reflected cross-site scripting.
Scope: local
bookworm: resolved (fixed in 6.13.0+repack-2+deb12u4)
bullseye: resolved (fixed in 5.12.0+dfsg-1+deb11u2)
forky: resolved (fixed in 7.16.0+ds-1)
sid: resolved (fixed in 7.16.0+ds-1)
trixie: resolved (fixed in 7.16.0+ds-1)
GHSA
GHSA-5q8g-5hhx-x3c8: Unsanitized user-input in Calibre <= 7
ghsa_unreviewed·2024-08-06
CVE-2024-7008 [MEDIUM] CWE-79 GHSA-5q8g-5hhx-x3c8: Unsanitized user-input in Calibre <= 7
Unsanitized user-input in Calibre <= 7.15.0 allow attackers to perform reflected cross-site scripting.
OSV
CVE-2024-7008: Unsanitized user-input in Calibre <= 7
osv·2024-08-06·CVSS 6.1
CVE-2024-7008 [MEDIUM] CVE-2024-7008: Unsanitized user-input in Calibre <= 7
Unsanitized user-input in Calibre <= 7.15.0 allow attackers to perform reflected cross-site scripting.
No detection rules found.
Nuclei
Calibre <= 7.15.0 - Reflected Cross-Site Scripting (XSS)
nuclei·CVSS 6.1
CVE-2024-7008 [MEDIUM] Calibre <= 7.15.0 - Reflected Cross-Site Scripting (XSS)
Calibre <= 7.15.0 - Reflected Cross-Site Scripting (XSS)
It is possible to inject arbitrary JavaScript code into the /browse endpoint of the Calibre content server, allowing an attacker to craft a URL that when clicked by a victim, will execute the attacker’s JavaScript code in the context of the victim’s browser. If the Calibre server is running with authentication enabled and the victim is logged in at the time, this can be used to cause the victim to perform actions on the Calibre server on behalf of the attacker.
Template:
id: CVE-2024-7008
info:
name: Calibre <= 7.15.0 - Reflected Cross-Site Scripting (XSS)
author: DhiyaneshDK
severity: medium
description: |
It is possible to inject arbitrary JavaScript code into the /browse endpoint of the Calibre content server, allowing an atta
2024-08-06
Published