Novel-plus Security Vulnerabilities and Issues — Novel-plus CVE List

Lucene search

XxyopenNovel-plus

12 matches found

CVE•added 2024/02/20 4:15 p.m.•4591 views

CVE-2024-25274

An arbitrary file upload vulnerability in the component /sysFile/upload of Novel-Plus v4.3.0-RC1 allows attackers to execute arbitrary code via uploading a crafted file.

9.8CVSS7.7AI score0.00243EPSS

CVE•added 2024/02/08 1:15 a.m.•190 views

CVE-2024-24018

A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform SQL injection via /system/dataPerm/list

9.8CVSS9.7AI score0.00076EPSS

CVE•added 2024/02/08 2:15 a.m.•189 views

CVE-2024-24017

A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection via /common/dict/list

9.8CVSS9.7AI score0.00064EPSS

CVE•added 2024/02/06 4:15 p.m.•185 views

CVE-2024-24013

A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection via /novel/pay/list

9.8CVSS9.7AI score0.00066EPSS

CVE•added 2024/02/08 2:15 a.m.•178 views

CVE-2024-24021

A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior. An attacker can pass specially crafted offset, limit, and sort parameters to perform SQL injection via /novel/userFeedback/list.

9.8CVSS9.6AI score0.00066EPSS

CVE•added 2024/02/08 1:15 a.m.•176 views

CVE-2024-24026

An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions at com.java2nb.system.controller.SysUserController: uploadImg(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download.

9.8CVSS9.4AI score0.00103EPSS

CVE•added 2024/02/08 2:15 a.m.•174 views

CVE-2024-24014

A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection via /novel/author/list

9.8CVSS9.7AI score0.00069EPSS

CVE•added 2024/02/08 1:15 a.m.•172 views

CVE-2024-24023

9.8CVSS9.6AI score0.00069EPSS

CVE•added 2024/02/08 1:15 a.m.•165 views

CVE-2024-24024

An arbitrary File download vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: fileDownload(). An attacker can pass in specially crafted filePath and fieName parameters to perform arbitrary File download.

9.8CVSS9.3AI score0.00103EPSS

CVE•added 2024/02/08 1:15 a.m.•50 views

CVE-2024-24025

An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: upload(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download.

9.8CVSS9.4AI score0.00103EPSS

CVE•added 2024/02/07 1:15 a.m.•41 views

CVE-2024-24019

A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform SQL injection via /system/roleDataPerm/list

9.8CVSS9.7AI score0.00072EPSS

CVE•added 2024/02/06 4:15 p.m.•40 views

CVE-2024-24015

A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform SQL via /sys/user/exit

9.8CVSS9.7AI score0.00066EPSS