CVE-2021-25964 is a stored Cross-site Scripting (XSS) vulnerability identified in the Calibre-web application, versions 0.6.0 through 0.6.12. Calibre-web is an open-source web application used to provide a web-based interface for managing and reading e-book collections. The vulnerability arises from insufficient sanitization of user-supplied input in the metadata description field. Specifically, an attacker with privileges to edit metadata can inject malicious JavaScript code into the description field of an e-book's metadata. When another user views the affected metadata through the web interface, the injected script executes in the victim's browser context. This stored XSS vulnerability can lead to a range of attacks including session hijacking, credential theft, unauthorized actions on behalf of the user, or distribution of malware. The CVSS 3.1 base score is 5.4 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, but does require privileges to edit metadata and user interaction (victim viewing the malicious metadata). The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable component, as the malicious script executes in the victim's browser context. No known public exploits have been reported in the wild, and no official patches are linked in the provided information, indicating that users should verify if updates or mitigations have been released by the vendor. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS attacks.

For European organizations using Calibre-web to manage digital libraries or e-book collections, this vulnerability poses a risk primarily to confidentiality and integrity. An attacker with metadata editing rights could inject malicious scripts that execute when other users access the metadata, potentially stealing session cookies, performing actions on behalf of users, or spreading malware within the organization. This could lead to unauthorized access to user accounts or sensitive information. Although the availability impact is minimal, the breach of confidentiality and integrity can undermine trust in the system and lead to further compromise if attackers leverage the foothold gained via XSS. Organizations in sectors such as education, publishing, libraries, and research institutions that rely on Calibre-web for digital content management are particularly at risk. The requirement for an attacker to have metadata editing privileges limits the attack surface but insider threats or compromised accounts could be exploited. The medium severity score suggests a moderate risk but should not be underestimated in environments where sensitive data is managed or where users have elevated privileges.

1. Immediate mitigation involves restricting metadata editing permissions strictly to trusted users and implementing strong access controls and monitoring on accounts with such privileges. 2. Employ web application firewalls (WAFs) with rules to detect and block common XSS payloads targeting the metadata description field. 3. Sanitize and validate all user inputs on the server side, especially in the metadata fields, to neutralize potentially malicious scripts. 4. Encourage or implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser context. 5. Regularly audit metadata entries for suspicious content and remove or quarantine any that appear malicious. 6. Monitor logs for unusual editing activity or access patterns that could indicate exploitation attempts. 7. Stay updated with vendor advisories and apply patches promptly once available. 8. Educate users about the risks of clicking on suspicious links or metadata entries and encourage reporting of anomalies. 9. If possible, isolate the Calibre-web deployment within a segmented network zone to limit lateral movement in case of compromise.