漏洞描述
Calibre<=7.15.0中的未初始化用户输入允许攻击者执行反射型跨站脚本,攻击者可以将任意 JavaScript代码注入到/browse,从而允许攻击者构造一个 URL,当受害者点击该 URL 时,会在受害者浏览器的上下文中执行攻击者的 JavaScript 代码。如果Calibre 服务器运行时启用了身份验证,并且受害者当时已登录,则攻击者可以利用此漏洞使受害者代表攻击者在 Calibre 服务器上执行操作。
Calibre <= 7.15.0 XSS漏洞(CVE-2024-7008)
PoC代码
暂无相关漏洞推荐
- D-Link DI-704 默认口令漏洞
- 微力同步 /rest/f/api/resources/f96956469e7be39d 文件读取漏洞
- POC CVE-2024-24882: Masteriyo LMS <= 1.7.2 - Unauthenticated Privilege Escalation
- POC CVE-2017-11107: phpLDAPadmin <= 1.2.3 - Reflected XSS
- POC CVE-2017-17762: Episerver 7 - Blind XML External Entity Injection
- POC CVE-2017-18580: WordPress Shortcodes Ultimate <= 5.0.0 - Authenticated Remote Code Execution
- POC CVE-2017-20192: Formidable Forms < 2.05.02 - Cross-Site Scripting
- POC CVE-2018-10245: AWStats <= 7.5 - Full Path Disclosure
- POC CVE-2021-20617: Acmailer - Improper Access Control to OS Command Injection
- POC CVE-2021-22175: GitLab CI Lint API - Server-Side Request Forgery
- POC CVE-2021-24213: GiveWP <= 2.9.7 - Cross-Site Scripting
- POC CVE-2021-24657: Limit Login Attempts WordPress - Stored Cross-site Scripting
- POC CVE-2021-25082: WordPress Popup Builder < 4.0.7 - Remote Code Execution