Calibre-Web Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Calibre-Web version 0.6.25. This issue allows attackers to inject malicious JavaScript into the 'username' field during user creation. The injected payload is stored without proper sanitization and is executed when the '/ajax/listusers' endpoint is accessed. This vulnerability affects the user management feature, specifically the username field, and can lead to the execution of arbitrary JavaScript in the context of an authenticated admin session.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the affected user, potentially leading to session cookie theft, execution of privileged actions, modification of user accounts or application settings, and persistent injection of malicious content into the application UI. This vulnerability could also be used as a stepping stone for more advanced attacks, such as chaining with cross-site request forgery or credential theft.

Reproduction

To reproduce this vulnerability, log in as an administrator and navigate to the 'Add New User' page. Inject a malicious payload, such as an image tag with an 'onerror' event, into the 'Username' field. After submitting the form, the injected username is stored in the database without sanitization. To trigger the stored XSS, access the '/ajax/listusers' endpoint, where the injected JavaScript will be executed in the browser.