Описание
calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template Injection (SSTI) vulnerability in Calibre's Templite templating engine allows arbitrary code execution when a user converts an ebook using a malicious custom template file via the --template-html or --template-html-index command-line options. This vulnerability is fixed in 9.2.0.
A flaw was found in Calibre, an e-book manager. This Server-Side Template Injection (SSTI) vulnerability in Calibre's Templite templating engine allows an attacker to achieve arbitrary code execution. This occurs when a user converts an ebook using a specially crafted malicious custom template file, provided via the --template-html or --template-html-index command-line options. This could lead to a complete compromise of the affected system.
Отчет
This is an IMPORTANT arbitrary code execution vulnerability in Calibre's HTML export functionality. It occurs when a user processes an ebook with a specially crafted custom template file using the --template-html or --template-html-index command-line options. This issue affects Calibre versions prior to 9.2.0, as distributed in Fedora 42 and Fedora 43.
Меры по смягчению последствий
To mitigate this vulnerability, users should avoid converting ebooks using untrusted or malicious custom template files with the --template-html or --template-html-index command-line options. Only use template files from trusted sources.
Дополнительная информация
Статус:
7.8 High
CVSS3
Связанные уязвимости
calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template Injection (SSTI) vulnerability in Calibre's Templite templating engine allows arbitrary code execution when a user converts an ebook using a malicious custom template file via the --template-html or --template-html-index command-line options. This vulnerability is fixed in 9.2.0.
calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template Injection (SSTI) vulnerability in Calibre's Templite templating engine allows arbitrary code execution when a user converts an ebook using a malicious custom template file via the --template-html or --template-html-index command-line options. This vulnerability is fixed in 9.2.0.
calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template I ...
7.8 High
CVSS3