CVE-2021-3987

MEDIUM EPSS 25.3%
Published Nov 15, 20241y ago · Modified Jun 17, 20261w ago
4.3 CVSS 3.1
Medium
Find Similar
Published Nov 15, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

An improper access control vulnerability exists in janeczku/calibre-web. The affected version allows users without public shelf permissions to create public shelves. The vulnerability is due to the `create_shelf` method in `shelf.py` not verifying if the user has the necessary permissions to create a public shelf. This issue can lead to unauthorized actions being performed by users.

CVSS Details

Base Score
4.3
Exploitability
2.8
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
25.3% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-284
CWE-862 Missing Authorization Authorization

Affected Products 1

VendorProductVersionRange
janeczkucalibre-web* <0.6.15

References 2

  • github.com https://github.com/janeczku/calibre-web/commit/bcdc97641447965af486964537f3821f47b28874
    Patch
  • huntr.com https://huntr.com/bounties/29fcc091-87b6-43bc-ab4b-3c0bec3f71df
    Exploit

Remediation

  • github.com https://github.com/janeczku/calibre-web/commit/bcdc97641447965af486964537f3821f47b28874
    Patch