← back
CVE-2024-39307

Cross-Site Scripting (XSS) vulnerability via crafted ebooks in Kavita

CVSS 3.5 LOWEPSS 0.5%CWE-79
Vexday Risk Score
8Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 3.5EPSS 0.5%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
28 Jun 2024Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Kavita is a cross platform reading server. Opening an ebook with malicious scripts inside leads to code execution inside the browsing context. Kavita doesn't sanitize or sandbox the contents of epubs, allowing scripts inside ebooks to execute. This vulnerability was patched in version 0.8.1.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Affected products
Kareadita · Kavita

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/Kareadita/Kavita/security/advisories/GHSA-r4qc-3w52-2v84