CVE-2021-3986

Published: Nov 15, 2024Modified: Nov 19, 2024

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. This issue occurs in the file shelf.py at line 221, where the name of the shelf is exposed in an error message when a user attempts to remove a book from a shelf they do not own. This vulnerability discloses private information and affects all versions prior to the fix.

Affected (1)

Products: Janeczku: Calibre Web

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Janeczku Calibre Web	Before 0.6.15

Related CWEs

Generation of Error Message Containing Sensitive Information

The product generates an error message that includes sensitive information about its environment, users, or associated data.

References (2)

https://github.com/janeczku/calibre-web/commit/6f5390ead5df9779ac81fadefffb476e03f93548

Source: security@huntr.dev

Patch

https://huntr.com/bounties/394af194-61a7-4e33-b373-877d4c766fca

Source: security@huntr.dev

ExploitIssue TrackingPatchThird Party Advisory

Timeline

No history available yet.