Lucene search

MendCVELIST:CVE-2021-25965

HistoryNov 16, 2021 - 9:15 a.m.

CVE-2021-25965 Calibre-web - Admin Account Takeover via Cross-Site Request Forgery (CSRF)

2021-11-1609:15:11

CWE-352

Mend

www.cve.org

calibre-web

vulnerability

admin account takeover

csrf

cross-site request forgery

user role

admin privileges

credentials

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.001

Percentile

38.9%

JSON

In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credentials, allowing them to take over the application.

CNA Affected

[
  {
    "product": "calibreweb",
    "vendor": "calibreweb",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "0.6.0",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "0.6.13",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/janeczku/calibre-web/commit/50919d47212066c75f03ee7a5332ecf2d584b98e

www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25965

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.001

Percentile

38.9%

JSON

Related for CVELIST:CVE-2021-25965