Credit goes to Ting Liu from Nanjgtech for reporting this. Kavita prior to 0.6.0.3 did not have any protection against user-provided information to be used to bypass the verification process. If you were using the 0.6.0.3 or later version, you may want to upgrade as soon as possible. (via Ting Liu)
How to verify the authenticity of a Kavita installation?
If you are using the Kavita on a public computer and need to verify the authenticity of your installation, there are three methods listed below.
You can use the URL in the browser's address bar or display any error messages from your browser in order to check if there is an issue.
You can also use the kavita --verify command line option which will validate the authenticity of your installation.
If none of these options work, you still have time to contact support for assistance.
New end-to-end Encrypted Communication
A new end-to-end encrypted communication option was added in Q3 2018. This communication provides an extra layer of security that prevents other parties from eavesdropping and intercepting emails, chats, and file transfers. If your organization is interested in encryption, you can easily set up this new mode of communication within your account settings.
What is Kavita?
Kavita is a new tool for working with Apache Cordova (Apache PhoneGap) that allows you to use your browser for development, instead of requiring you to use a command-line interface.
The first benefit of using Kavita is that it will allow you to get more done in less time. The other advantage is that it helps reduce the risk of human error, like having the wrong permissions set or forgetting to restart your terminal emulator.
This vulnerability was found in an update released on October 25th, 2018. If you are using Kavita and have not updated to 0.6.0.3 or later, please do so as soon as possible.
Timeline
Published on: 11/14/2022 18:15:00 UTC
Last modified on: 11/17/2022 22:14:00 UTC