CVE-2024-39307

Cross-Site Scripting (XSS) vulnerability via crafted ebooks in Kavita

CVSS 3.5 LOWEPSS 0.5%CWE-79

Kavita is a cross platform reading server. Opening an ebook with malicious scripts inside leads to code execution inside the browsing context. Kavita doesn't sanitize or sandbox the contents of epubs, allowing scripts inside ebooks to execute. This vulnerability was patched in version 0.8.1.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Affected products

Kareadita · Kavita

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/Kareadita/Kavita/security/advisories/GHSA-r4qc-3w52-2v84