CVE-2021-3986

EUVD-2024-3282
A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. This issue occurs in the file shelf.py at line 221, where the name of the shelf is exposed in an error message when a user attempts to remove a book from a shelf they do not own. This vulnerability discloses private information and affects all versions prior to the fix.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
janeczkucalibre-web
𝑥
< 0.6.15
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
calibre-web_projectcalibre-web
𝑥
< *
ADP
Common Weakness Enumeration
References
https://github.com/janeczku/calibre-web/commit/6f5390ead5df9779ac81fadefffb476e03f93548
https://huntr.com/bounties/394af194-61a7-4e33-b373-877d4c766fca