CVE-2024-24024

CRITICAL

Xxyopen Novel-plus < 4.2.0 - Unrestricted File Upload

Title source: rule

Description

An arbitrary File download vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: fileDownload(). An attacker can pass in specially crafted filePath and fieName parameters to perform arbitrary File download.

References (2)

Core 2

Core References

Product

https://github.com/201206030/novel-plus

Third Party Advisory

https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/24024.txt

View Writeup ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0010

EPSS Percentile 27.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-434

Status published

Products (2)

xxyopen/novel-plus 4.3.0 rc1

xxyopen/novel-plus < 4.2.0

Published Feb 08, 2024

Tracked Since Feb 18, 2026