Cross-site Scripting (XSS) - Reflected in janeczku/calibre-web


Reported on

Jan 17th 2022


There is a reflected XSS vulnerability on the site calibre-web.

Proof of Concept

1. go to the calibre e-book management
2. create a new book give the title name <script src=1 href=1 onerror="javascript:alert(300)"></script>
3. and give the title sort name <script src=1 href=1 onerror="javascript:alert(300)"></script>
4. save and go to the website
5.go to Author one of the books
7. then right click and press inspect element
8. then press Author/strored

Video POC:


Reflected XSS allows attackers to misguide vistors of a website, steal cookies, and send arbitrary requests.

We are processing your report and will contact the janeczku/calibre-web team within 24 hours. 2 years ago
We have contacted a member of the janeczku/calibre-web team and are waiting to hear back 2 years ago
2 years ago


I can't reproduce it. There is something wrong in the code, I agree to that. If I open the author view with the book I see a '">' on top of the cover, and clicking on the cover no longer opens a dialog (books detail dialog), instead the books detail view (the one with the blue Download buttons) it opened as new page. No java-script is executed. I tested it with the newest commit on master. Checked browsers are Firefox (96.0.1) and Chromium (97.0.4692.71 ). Both on Linux Mint 20.4. You video only shows the second part of the problem. The link to open authors normally ends with an authot ID, the only link without ID is for author 1. Does this also happen with other books than the first one?

We have sent a follow up to the janeczku/calibre-web team. We will try again in 4 days. 2 years ago
janeczku validated this vulnerability 2 years ago
alicaz has been awarded the disclosure bounty
The fix bounty is now up for grabs
janeczku marked this as fixed in 0.6.16 with commit 6bf075 2 years ago
The fix bounty has been dropped
to join this conversation