CVE-2021-3987

CVSS V2 None CVSS V3 None

Description

An improper access control vulnerability exists in janeczku/calibre-web. The affected version allows users without public shelf permissions to create public shelves. The vulnerability is due to the `create_shelf` method in `shelf.py` not verifying if the user has the necessary permissions to create a public shelf. This issue can lead to unauthorized actions being performed by users.

Overview

CVE ID
CVE-2021-3987

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-11-15T10:52:29.478Z

Last Modified Date
2024-11-15T18:28:12.925Z

Weakness Enumerations

CWE	URL
CWE-284	http://cwe.mitre.org/data/definitions/284.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/29fcc091-87b6-43bc-ab4b-3c0bec3f71df
https://github.com/janeczku/calibre-web/commit/bcdc97641447965af486964537f3821f47b28874

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2021-3987
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3987

History

Created	Old Value	New Value	Data Type	Notes
2024-11-16 12:03:20				Added to TrackCVE