CVE-2021-3986

Published: Nov 15, 2024

Modified: Nov 15, 2024

PUBLISHED

CVSS v3.0

4.3

MEDIUM

Description

A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. This issue occurs in the file shelf.py at line 221, where the name of the shelf is exposed in an error message when a user attempts to remove a book from a shelf they do not own. This vulnerability discloses private information and affects all versions prior to the fix.

Vendor	Product	Versions
janeczku	janeczku/calibre-web	affected `unspecified - <= latest`

Weaknesses (CWE)

CWE-209

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

https://huntr.com/bounties/394af194-61a7-4e33-b373-877d4c766fca

https://github.com/janeczku/calibre-web/commit/6f5390ead5df9779ac81fadefffb476e03f93548

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-3986

Description

Affected Products

Weaknesses (CWE)

CVSS v3.0 Details

References