CVE Details
Basic Information
| Title | xxyopen/201206030 novel-plus User Management Module UserMapper.xml list sql injection |
|---|---|
| Type | cve |
| Published | 2025-06-24T01:00:20.961Z |
| Last Seen |
Product Information
| Vendor | xxyopen |
|---|---|
| Product | novel-plus |
| Version | 5.1.0 |
CVSS Information
| Base Score | 5.3 (MEDIUM) |
|---|---|
| Attack Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P |
| Confidentiality Impact | |
| Integrity Impact | |
| Availability Impact |
AI Analysis
| AI Description | A SQL injection vulnerability in the User Management Module of novel-plus allows remote attackers to inject malicious SQL code via the ‘sort’ or ‘order’ parameters. This could lead to unauthorized data access or system compromise. The issue affects versions up to 5.1.3 and has a publicly disclosed exploit. |
|---|---|
| AI Severity | Medium |
| Vendor | xxyopen |
| Product | novel-plus |
| Affected Version | 5.1.0, 5.1.1, 5.1.2, 5.1.3 |
Affected Products
- xxyopen novel-plus 5.1.0
- xxyopen novel-plus 5.1.1
- xxyopen novel-plus 5.1.2
- xxyopen novel-plus 5.1.3
- 201206030 novel-plus 5.1.0
- 201206030 novel-plus 5.1.1
- 201206030 novel-plus 5.1.2
- 201206030 novel-plus 5.1.3
Additional Information
| CVE List | |
|---|---|
| CWE List | CWE-89, CWE-74 |
| Bulletin Family |
References
Description
A vulnerability has been found in xxyopen/201206030 novel-plus up to 5.1.3 and classified as critical. This vulnerability affects the function list of the file novel-admin/src/main/resources/mybatis/system/UserMapper.xml of the component User Management Module. The manipulation of the argument sort/order leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.