Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Novel\-Plus
(Xxyopen)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 32 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2024-02-06 | CVE-2024-24015 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform SQL via /sys/user/exit | Novel\-Plus | 9.8 | ||
| 2024-02-07 | CVE-2024-24019 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform SQL injection via /system/roleDataPerm/list | Novel\-Plus | 9.8 | ||
| 2024-02-08 | CVE-2024-24018 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform SQL injection via /system/dataPerm/list | Novel\-Plus | 9.8 | ||
| 2024-02-08 | CVE-2024-24023 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior. An attacker can pass specially crafted offset, limit, and sort parameters to perform SQL injection via /novel/bookContent/list. | Novel\-Plus | 9.8 | ||
| 2024-02-08 | CVE-2024-24024 | An arbitrary File download vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: fileDownload(). An attacker can pass in specially crafted filePath and fieName parameters to perform arbitrary File download. | Novel\-Plus | 9.8 | ||
| 2024-02-08 | CVE-2024-24025 | An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: upload(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download. | Novel\-Plus | 9.8 | ||
| 2024-02-08 | CVE-2024-24026 | An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions at com.java2nb.system.controller.SysUserController: uploadImg(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download. | Novel\-Plus | 9.8 | ||
| 2024-02-08 | CVE-2024-24014 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection via /novel/author/list | Novel\-Plus | 9.8 | ||
| 2024-02-08 | CVE-2024-24017 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection via /common/dict/list | Novel\-Plus | 9.8 | ||
| 2024-02-08 | CVE-2024-24021 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior. An attacker can pass specially crafted offset, limit, and sort parameters to perform SQL injection via /novel/userFeedback/list. | Novel\-Plus | 9.8 |