Gentoo Linux Security Advisory 202409-4 - Multiple vulnerabilities have been discovered in calibre, the worst of which could lead to remote code execution. Versions greater than or equal to 7.16.0 are affected.
63f9a3d6a5bff26d14c87b2fba8c59318ca8dc99843106c3a92e3298aa4faa3b
Proof of concept unauthenticated remote code execution exploit for Calibre versions 7.14.0 and below.
8c3200bd22a9201376c309b810720c70e5e01d5f4a8e6a5ec53a060dd8be9202
This Metasploit module exploits a Python code injection vulnerability in the Content Server component of Calibre version 6.9.0 through 7.15.0. Once enabled (disabled by default), it will listen in its default configuration on all network interfaces on TCP port 8080 for incoming traffic, and does not require any authentication. The injected payload will get executed in the same context under which Calibre is being executed.
2678fd269bdb79e8ada27f1f7870d0382cc42ef2fd75bd19a29cff06a2dd56c3