Vulnerability Description
In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credentials, allowing them to take over the application.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Janeczku | Calibre-Web | >= 0.6.0, <= 0.6.13 |
Related Weaknesses (CWE)
References
- https://github.com/janeczku/calibre-web/commit/50919d47212066c75f03ee7a5332ecf2dPatchThird Party Advisory
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25965Third Party Advisory
- https://github.com/janeczku/calibre-web/commit/50919d47212066c75f03ee7a5332ecf2dPatchThird Party Advisory
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25965Third Party Advisory
FAQ
What is CVE-2021-25965?
CVE-2021-25965 is a vulnerability with a CVSS score of 8.8 (HIGH). In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin priv...
How severe is CVE-2021-25965?
CVE-2021-25965 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-25965?
Check the references section above for vendor advisories and patch information. Affected products include: Janeczku Calibre-Web.