CVE-2021-4170: 
Python vulnerability analysis and mitigation

CVE-2021-4170 is a Cross-site Scripting (XSS) vulnerability discovered in calibre-web. The vulnerability was identified and disclosed on December 25, 2021, affecting versions prior to 0.6.15. This security issue stems from improper neutralization of input during web page generation (NVD, CVE).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It received a CVSS v3.1 base score of 5.4 (MEDIUM) from NIST with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while huntr.dev assessed it at 7.3 (HIGH) with vector string CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N. The CVSS v2.0 score was rated at 3.5 (LOW) (NVD).

The vulnerability allows attackers to execute cross-site scripting attacks, potentially leading to unauthorized access to sensitive information and manipulation of web content. The impact is characterized by low confidentiality and integrity impacts in a chained attack scenario, requiring user interaction (NVD).

A patch has been released to address this vulnerability. The fix involves changing the HTML handling in the file upload functionality, specifically modifying the code to use .text() instead of .html() for filename display (GitHub Patch). Users should upgrade to version 0.6.15 or later to mitigate this vulnerability.