CVE-2021-25965 is a high-severity vulnerability affecting Calibre-web versions 0.6.0 through 0.6.13. The vulnerability is classified as a Cross-Site Request Forgery (CSRF) issue (CWE-352). Calibre-web is a web-based application used to provide a user-friendly interface for managing and accessing e-book libraries, often deployed in personal or organizational environments. The vulnerability allows an attacker to craft a malicious link that, when clicked by an authenticated user, can trigger unauthorized actions within the application without the user's consent or knowledge. Specifically, the attacker can exploit this flaw to create a new user role with administrative privileges and attacker-controlled credentials. This effectively allows the attacker to take over the application, gaining full control over its functionality and data. The CVSS v3.1 base score is 8.8, indicating a high severity level. The vector string (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates that the attack can be performed remotely over the network with low attack complexity, requires no privileges, but does require user interaction (clicking a link). The scope remains unchanged, and the impact on confidentiality, integrity, and availability is high. There are no known exploits in the wild as of the published date, and no official patches are linked in the provided data. The vulnerability arises because the application does not implement adequate anti-CSRF protections, such as CSRF tokens or same-site cookie attributes, allowing state-changing requests to be forged from external sites.

For European organizations using Calibre-web, this vulnerability poses a significant risk. An attacker who successfully exploits this CSRF flaw can gain administrative control over the application, potentially leading to unauthorized access to sensitive e-book collections, user data, and any integrated services. This could result in data breaches, loss of data integrity, and disruption of service availability. Organizations that use Calibre-web in shared or multi-user environments, such as libraries, educational institutions, or enterprises managing digital content, are particularly vulnerable. The compromise of administrative credentials could also be leveraged to pivot to other internal systems if Calibre-web is integrated with broader IT infrastructure. Given the ease of exploitation (requiring only a user to click a malicious link) and the high impact on confidentiality, integrity, and availability, the threat could lead to reputational damage, regulatory non-compliance (especially under GDPR if personal data is involved), and operational downtime.

To mitigate this vulnerability, European organizations should: 1) Immediately upgrade Calibre-web to a version beyond 0.6.13 where the vulnerability is fixed, if available, or apply any vendor-provided patches or workarounds. 2) If patches are not available, implement web application firewall (WAF) rules to detect and block suspicious CSRF attempts targeting Calibre-web endpoints, especially those related to user role creation. 3) Enforce strict Content Security Policy (CSP) headers to limit the ability of attackers to execute malicious scripts or embed malicious links. 4) Educate users about the risks of clicking unsolicited links, especially when authenticated to sensitive applications. 5) Implement network segmentation and access controls to limit exposure of Calibre-web instances to only trusted users and networks. 6) Monitor application logs for unusual user creation or privilege escalation activities to detect potential exploitation attempts. 7) Consider deploying additional anti-CSRF protections at the proxy or application level if upgrading is delayed, such as validating Origin or Referer headers. 8) Regularly review and audit user roles and permissions within Calibre-web to quickly identify unauthorized changes.