cbcvebase.

Xxyopen Novel-Plus vulnerabilities

48 known vulnerabilities affecting xxyopen/novel-plus.

Total CVEs
48
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL28HIGH12MEDIUM8

Vulnerabilities

Page 1 of 3
CVE-2025-4019P2CRITICALCVSS 9.8fixed in 5.1.12025-04-28
CVE-2025-4019 [CRITICAL] CWE-287 CVE-2025-4019: A vulnerability, which was classified as critical, was found in 20120630 Novel-Plus up to 0e156c04b4 A vulnerability, which was classified as critical, was found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. Affected is the function genCode of the file novel-admin/src/main/java/com/java2nb/common/controller/GeneratorController.java. The manipulation leads to missing authentication. It is possible to launch the attack remote
nvd
CVE-2025-3676P2CRITICALCVSS 9.8v3.5.02025-04-16
CVE-2025-3676 [CRITICAL] CWE-74 CVE-2025-3676: A vulnerability classified as critical has been found in xxyopen Novel-Plus 3.5.0. This affects an u A vulnerability classified as critical has been found in xxyopen Novel-Plus 3.5.0. This affects an unknown part of the file /api/front/search/books. The manipulation of the argument sort leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early
nvd
CVE-2025-3856P2CRITICALCVSS 9.8v5.1.02025-04-22
CVE-2025-3856 [CRITICAL] CWE-74 CVE-2025-3856: A vulnerability was found in xxyopen Novel-Plus 5.1.0. It has been classified as critical. This affe A vulnerability was found in xxyopen Novel-Plus 5.1.0. It has been classified as critical. This affects the function searchByPage of the file /book/searchByPage. The manipulation of the argument sort leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was con
nvd
CVE-2025-4016P3CRITICALCVSS 9.1fixed in 5.1.12025-04-28
CVE-2025-4016 [CRITICAL] CWE-266 CVE-2025-4016: A vulnerability classified as critical has been found in 20120630 Novel-Plus up to 0e156c04b4b7ce056 A vulnerability classified as critical has been found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. This affects the function deleteIndex of the file novel-admin/src/main/java/com/java2nb/common/controller/LogController.java. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. Th
nvd
CVE-2024-24025P3CRITICALCVSS 9.8≤ 4.2.0v4.3.02024-02-08
CVE-2024-24025 [CRITICAL] CWE-434 CVE-2024-24025: An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.comm An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: upload(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download.
nvd
CVE-2025-6535P3HIGHCVSS 8.8≤ 5.1.3v5.1.0+3 more2025-06-24
CVE-2025-6535 [HIGH] CWE-74 CVE-2025-6535: A vulnerability has been found in xxyopen/201206030 novel-plus up to 5.1.3 and classified as critica A vulnerability has been found in xxyopen/201206030 novel-plus up to 5.1.3 and classified as critical. This vulnerability affects the function list of the file novel-admin/src/main/resources/mybatis/system/UserMapper.xml of the component User Management Module. The manipulation of the argument sort/order leads to sql injection. The attack can be initiate
nvd
CVE-2024-25274P3CRITICALCVSS 9.8v4.3.02024-02-20
CVE-2024-25274 [CRITICAL] CWE-434 CVE-2024-25274: An arbitrary file upload vulnerability in the component /sysFile/upload of Novel-Plus v4.3.0-RC1 all An arbitrary file upload vulnerability in the component /sysFile/upload of Novel-Plus v4.3.0-RC1 allows attackers to execute arbitrary code via uploading a crafted file.
nvd
CVE-2025-3369P3CRITICALCVSS 9.8v5.1.02025-04-07
CVE-2025-3369 [CRITICAL] CWE-74 CVE-2025-3369: A vulnerability was found in xxyopen Novel-Plus 5.1.0. It has been rated as critical. Affected by th A vulnerability was found in xxyopen Novel-Plus 5.1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /novel/friendLink/list. The manipulation of the argument sort leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
nvd
CVE-2024-24026P3CRITICALCVSS 9.8≤ 4.2.0v4.3.02024-02-08
CVE-2024-24026 [CRITICAL] CWE-434 CVE-2024-24026: An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions at com.jav An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions at com.java2nb.system.controller.SysUserController: uploadImg(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download.
nvd
CVE-2024-0941P3CRITICALCVSS 9.8v4.3.0v4.3.0-RC12024-01-26
CVE-2024-0941 [CRITICAL] CWE-89 CVE-2024-0941: A vulnerability was found in Novel-Plus 4.3.0-RC1 and classified as critical. This issue affects som A vulnerability was found in Novel-Plus 4.3.0-RC1 and classified as critical. This issue affects some unknown processing of the file /novel/bookComment/list. The manipulation of the argument sort leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier VDB-252185 was assigned to this vulnerability. NOTE: Th
nvd
CVE-2023-2041P3HIGHCVSS 8.8v3.6.22023-04-14
CVE-2023-2041 [HIGH] CWE-89 CVE-2023-2041: A vulnerability classified as critical was found in novel-plus 3.6.2. Affected by this vulnerability A vulnerability classified as critical was found in novel-plus 3.6.2. Affected by this vulnerability is an unknown functionality of the file /category/list?limit=10&offset=0&order=desc. The manipulation of the argument sort leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The assoc
nvd
CVE-2021-41921P3CRITICALCVSS 9.8v3.6.12022-04-28
CVE-2021-41921 [CRITICAL] CWE-434 CVE-2021-41921: novel-plus V3.6.1 allows unrestricted file uploads. Unrestricted file suffixes and contents can lead novel-plus V3.6.1 allows unrestricted file uploads. Unrestricted file suffixes and contents can lead to server attacks and arbitrary code execution.
nvd
CVE-2024-24017P3CRITICALCVSS 9.8≤ 4.2.0v4.3.02024-02-08
CVE-2024-24017 [CRITICAL] CWE-89 CVE-2024-24017: A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pa A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection via /common/dict/list
nvd
CVE-2024-24014P3CRITICALCVSS 9.8≤ 4.2.0v4.3.02024-02-08
CVE-2024-24014 [CRITICAL] CWE-89 CVE-2024-24014: A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pa A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection via /novel/author/list
nvd
CVE-2024-24018P3CRITICALCVSS 9.8≤ 4.2.0v4.3.02024-02-08
CVE-2024-24018 [CRITICAL] CWE-89 CVE-2024-24018: A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pa A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform SQL injection via /system/dataPerm/list
nvd
CVE-2024-24015P3CRITICALCVSS 9.8≤ 4.2.0v4.3.02024-02-06
CVE-2024-24015 [CRITICAL] CWE-89 CVE-2024-24015: A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pa A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform SQL via /sys/user/exit
nvd
CVE-2024-24019P3CRITICALCVSS 9.8≤ 4.2.0v4.3.02024-02-07
CVE-2024-24019 [CRITICAL] CWE-89 CVE-2024-24019: A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pa A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform SQL injection via /system/roleDataPerm/list
nvd
CVE-2024-24013P3CRITICALCVSS 9.8≤ 4.2.0v4.3.02024-02-06
CVE-2024-24013 [CRITICAL] CWE-89 CVE-2024-24013: A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pa A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection via /novel/pay/list
nvd
CVE-2023-2039P3HIGHCVSS 8.8v3.6.22023-04-14
CVE-2023-2039 [HIGH] CWE-89 CVE-2023-2039: A vulnerability was found in novel-plus 3.6.2. It has been rated as critical. This issue affects som A vulnerability was found in novel-plus 3.6.2. It has been rated as critical. This issue affects some unknown processing of the file /author/list?limit=10&offset=0&order=desc. The manipulation of the argument sort leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB
nvd
CVE-2023-2040P3HIGHCVSS 8.8v3.6.22023-04-14
CVE-2023-2040 [HIGH] CWE-89 CVE-2023-2040: A vulnerability classified as critical has been found in novel-plus 3.6.2. Affected is an unknown fu A vulnerability classified as critical has been found in novel-plus 3.6.2. Affected is an unknown function of the file /news/list?limit=10&offset=0&order=desc. The manipulation of the argument sort leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-225918 is the identifi
nvd
Xxyopen Novel-Plus vulnerabilities | cvebase