CVE-2024-24024

2024-02-0801:15:27

CWE-434

[email protected]

web.nvd.nist.gov

arbitrary file download

novel-plus

filecontroller

filepath

fiename

security vulnerability

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.001

Percentile

39.1%

JSON

An arbitrary File download vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: fileDownload(). An attacker can pass in specially crafted filePath and fieName parameters to perform arbitrary File download.

Affected configurations

Nvd

Node

xxyopennovel-plusRange≤4.2.0

xxyopennovel-plusMatch4.3.0rc1

VendorProductVersionCPE
xxyopennovel-plus*cpe:2.3:a:xxyopen:novel-plus:*:*:*:*:*:*:*:*
xxyopennovel-plus4.3.0cpe:2.3:a:xxyopen:novel-plus:4.3.0:rc1:*:*:*:*:*:*