A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection via /common/dict/list
[
{
"cpes": [
"cpe:2.3:a:novel-plus:novel-plus:*:*:*:*:*:*:*:*"
],
"vendor": "novel-plus",
"product": "novel-plus",
"versions": [
{
"status": "affected",
"version": "0",
"versionType": "custom",
"lessThanOrEqual": "4.3.0-rc1"
}
],
"defaultStatus": "unknown"
}
]