CVE-2025-60299

Medium CVSS: 5.4

Novel-Plus with 5.2.0 was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability via the /book/addCommentReply endpoint. An authenticated user can inject malicious JavaScript through the replyContent parameter when replying to a book comment. The payload is stored in the database and is executed in other users’ browsers when they view the affected comment thread.

Vendor

Xxyopen

Product

Novel-plus

CWE

CWE-79

Yayın Tarihi

2025-10-08 13:15:34

Güncelleme

2025-10-10 16:18:08

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-79 Novel-plus MEDIUM Xxyopen 2025

Referanslar

https://github.com/201206030/novel-plus https://notes.sjtu.edu.cn/s/OtnFaGbI4 https://notes.sjtu.edu.cn/s/OtnFaGbI4

Benzer Kayıtlar

Medium

CVE-2025-65442

DOM-based Cross-Site Scripting (XSS) vulnerability in 201206030 novel V3.5.0 allows remote attackers to execute arbitrar…

Medium

CVE-2025-60298

Novel-Plus up to 5.2.4 was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability via the /author/updat…

Low

CVE-2025-6534

A vulnerability, which was classified as problematic, was found in xxyopen/201206030 novel-plus up to 5.1.3. This affect…

Medium

CVE-2025-6535

A vulnerability has been found in xxyopen/201206030 novel-plus up to 5.1.3 and classified as critical. This vulnerabilit…

Medium

CVE-2025-6533

A vulnerability, which was classified as critical, has been found in xxyopen/201206030 novel-plus up to 5.1.3. Affected…

Critical

CVE-2025-45890

Directory Traversal vulnerability in novel plus before v.5.1.0 allows a remote attacker to execute arbitrary code via th…