CVE-2025-60298

MEDIUM

novel-plus < 5.2.4 - Authenticated Stored Cross-Site Scripting via /author/updateIndexName

Title source: llm
STIX 2.1

Description

Novel-Plus up to 5.2.4 was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability via the /author/updateIndexName endpoint. This vulnerability allows authenticated attackers to inject malicious JavaScript code through the indexName parameter, which gets stored in the database and executed when other users view the affected book chapter.

References (3)

Core 3
Core References
Exploit, Third Party Advisory
https://notes.sjtu.edu.cn/s/FB0dX82qf
Exploit, Third Party Advisory
https://notes.sjtu.edu.cn/s/FB0dX82qf#

Scores

CVSS v3 5.4
EPSS 0.0024
EPSS Percentile 15.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
xxyopen/novel-plus < 5.2.4
Published Oct 08, 2025
Tracked Since Feb 18, 2026