A vulnerability classified as critical has been found in novel-plus 3.6.2. Affected is an unknown function of the file /news/list?limit=10&offset=0&order=desc. The manipulation of the argument sort leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-225918 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References
| Link | Resource |
|---|---|
| https://vuldb.com/?id.225918 | Third Party Advisory |
| https://vuldb.com/?ctiid.225918 | Third Party Advisory |
| https://github.com/morty-py/morty/blob/main/Novel-Plus3.6.2%20sqli.pdf | Exploit Third Party Advisory |
Configurations
History
07 Nov 2023, 04:11
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Xxyopen
Xxyopen novel-plus |
|
| CPE | cpe:2.3:a:xxyopen:novel-plus:3.6.2:*:*:*:*:*:*:* |
19 Apr 2023, 19:21
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Novel-plus Project novel-plus
Novel-plus Project |
|
| CPE | cpe:2.3:a:novel-plus_project:novel-plus:3.6.2:*:*:*:*:*:*:* | |
| References | (MISC) https://vuldb.com/?id.225918 - Third Party Advisory | |
| References | (MISC) https://vuldb.com/?ctiid.225918 - Third Party Advisory | |
| References | (MISC) https://github.com/morty-py/morty/blob/main/Novel-Plus3.6.2%20sqli.pdf - Exploit, Third Party Advisory | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
14 Apr 2023, 09:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-04-14 09:15
Updated : 2024-05-17 02:22
NVD link : CVE-2023-2040
Mitre link : CVE-2023-2040
JSON object : View
Products Affected
xxyopen
- novel-plus
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')