Komga Cross-Site Scripting Vulnerability in EPUB Handling Allowing Arbitrary Code Execution

A Cross-Site Scripting (XSS) vulnerability has been identified in Komga versions 1.8.0 prior to 1.21.3. This issue arises when EPUB resources are served either directly from the API or through the EPUB reader. The vulnerability allows an attacker to perform actions on behalf of the victim. When targeting an admin user, this XSS can be exploited in conjunction with a server-side command to achieve arbitrary code execution. To exploit this vulnerability, a malicious EPUB file must be uploaded to a Komga library and then accessed by an admin user using the EPUB reader.

Impact

Exploitation of this vulnerability could lead to Cross-Site Scripting, allowing for actions to be performed on behalf of the user. In the case of an admin user, this could be combined with server-side command execution to achieve arbitrary code execution.

Reproduction

To reproduce this vulnerability, upload a malicious EPUB file to a Komga library. Then, access the file using the EPUB reader as an admin user. The XSS payload will be executed in the context of the admin user, potentially leading to arbitrary code execution if a server-side command can be controlled.

Remediation

Users can upgrade to Komga version 1.22.0 or later, where this vulnerability has been patched.