CVE-2024-7008: 
NixOS vulnerability analysis and mitigation

Calibre version 7.15.0 and earlier contains a reflected cross-site scripting vulnerability (CVE-2024-7008) that was discovered in July 2024. The vulnerability affects the content server feature of Calibre, specifically in the /browse endpoint. This security flaw allows attackers to perform reflected cross-site scripting attacks through unsanitized user input (STAR Labs Advisory, NVD).

The vulnerability exists in the src/calibre/srv/legacy.py file where the browse endpoint fails to properly sanitize user input before incorporating it into the page response. The CVSS v3.1 base score is 6.1 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N according to NVD's assessment. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD, STAR Labs Advisory).

When exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of the victim's browser. If the Calibre server is running with authentication enabled and the victim is logged in, the attacker can potentially cause the victim to perform unauthorized actions on the Calibre server (STAR Labs Advisory).

The vulnerability has been patched in version 7.16.0 of Calibre. The fix involves ensuring that user input is properly validated before being used in HTML content generation, specifically by verifying that book IDs contain only digits. Users are advised to upgrade to the latest version (Calibre Commit, STAR Labs Advisory).