CVE-2024-24026

CRITICAL

Xxyopen Novel-plus < 4.2.0 - Unrestricted File Upload

Title source: rule

Description

An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions at com.java2nb.system.controller.SysUserController: uploadImg(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download.

References (2)

Core 2

Core References

Product

https://github.com/201206030/novel-plus

Third Party Advisory

https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/24026.txt

View Writeup ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0010

EPSS Percentile 27.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-434

Status published

Products (2)

xxyopen/novel-plus 4.3.0 rc1

xxyopen/novel-plus < 4.2.0

Published Feb 08, 2024

Tracked Since Feb 18, 2026