Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Novel\-Plus
(Xxyopen)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 34 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2025-06-20 | CVE-2025-45890 | Directory Traversal vulnerability in novel plus before v.5.1.0 allows a remote attacker to execute arbitrary code via the filePath parameter | Novel\-Plus | N/A | ||
| 2025-03-04 | CVE-2025-26182 | An issue in xxyopen novel plus v.4.4.0 and before allows a remote attacker to execute arbitrary code via the PageController.java file | Novel\-Plus | N/A | ||
| 2024-02-06 | CVE-2024-24015 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform SQL via /sys/user/exit | Novel\-Plus | 9.8 | ||
| 2024-02-06 | CVE-2024-24013 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection via /novel/pay/list | Novel\-Plus | 9.8 | ||
| 2024-02-08 | CVE-2024-24025 | An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: upload(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download. | Novel\-Plus | 9.8 | ||
| 2024-02-08 | CVE-2024-24021 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior. An attacker can pass specially crafted offset, limit, and sort parameters to perform SQL injection via /novel/userFeedback/list. | Novel\-Plus | 9.8 | ||
| 2024-02-07 | CVE-2024-24019 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform SQL injection via /system/roleDataPerm/list | Novel\-Plus | 9.8 | ||
| 2024-02-08 | CVE-2024-24014 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection via /novel/author/list | Novel\-Plus | 9.8 | ||
| 2024-02-08 | CVE-2024-24018 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform SQL injection via /system/dataPerm/list | Novel\-Plus | 9.8 | ||
| 2022-02-10 | CVE-2022-24568 | Novel-plus v3.6.0 was discovered to be vulnerable to Server-Side Request Forgery (SSRF) via user-supplied crafted input. | Novel\-Plus | 9.8 |