Calibre e-book fixes multple flaws, one critical

Calibre, a widely-used e-book management tool, has addressed multiple security vulnerabilities in its system. These vulnerabilities,

Details of the Vulnerabilities:

1. CVE-2024-6782 (CVSS Score 9.8) - Code injection vulnerability allows attackers to inject and execute arbitrary code through Calibre's content server. This can be done without any prior authentication, giving attackers potential full control over the affected system. The vulnerability has been patched in the latest update. Users should secure their content server with a password or disable it entirely if not needed.

2. CVE-2024-6781 (CVSS Score 7.5) - Path traversal vulnerability allows attackers to read arbitrary files on the system. This occurs due to insufficient limitations on path names, enabling attackers to navigate the file system using path additions like "../". Users are advised to upgrade immediately.

3. CVE-2024-7008 (CVSS Score 5.4) - Cross-Site Scripting (XSS) vulnerability could allow attackers to execute malicious scripts in another user's browser session. This could lead to the theft of sensitive information or further attacks on the user's system. Users are advised to upgrade immediately.

4. CVE-2024-7009 (CVSS Score 4.2) - SQL Injection vulnerability could let attackers manipulate database queries, potentially leading to unauthorized data access or data corruption. Users are advised to upgrade immediately.

Calibre has released Version 7.16 which fixes these security issues. Users should download and install Calibre version 7.16 from the official Calibre download page. If using the content server feature, ensure it is protected with a strong password or disable it if it is not essential. Limit access to the Calibre installation from the network, preferably by making the server accessible only through a VPN to trusted users.