You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I found that when the ebookmeta version is less than 1.2.8 and the lxml version is less than 4.9.1, the ebookmeta.get_metadata function will have an xxe vulnerability. An attacker could use this vulnerability to read sensitive information from the server.
Here is exp:
import ebookmeta
fp = "payload.fb2"
meta = ebookmeta.get_metadata(fp)
print(meta.title)
I found that when the ebookmeta version is less than 1.2.8 and the lxml version is less than 4.9.1, the ebookmeta.get_metadata function will have an xxe vulnerability. An attacker could use this vulnerability to read sensitive information from the server.
Here is exp:
Then we can get the following
The content of payload.fb2 is as follows
requirements.txt content is as follows
The text was updated successfully, but these errors were encountered: