CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1595 – novel-plus list sql injection
https://notcve.org/view.php?id=CVE-2023-1595
23 Mar 2023 — A vulnerability has been found in novel-plus 3.6.2 and classified as critical. Affected by this vulnerability is an unknown functionality of the file common/log/list. The manipulation of the argument sort leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/1610349395/novel-plus-v3.6.2----Background-SQL-Injection-Vulnerability-/blob/main/novel-plus%20v3.6.2%20--%20Background%20SQL%20Injection%20Vulnerability.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1594 – novel-plus list MenuService sql injection
https://notcve.org/view.php?id=CVE-2023-1594
23 Mar 2023 — A vulnerability, which was classified as critical, was found in novel-plus 3.6.2. Affected is the function MenuService of the file sys/menu/list. The manipulation of the argument sort leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/OYyunshen/Poc/blob/main/Novel-PlusV3.6.2Sqli.pdf • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-36672
https://notcve.org/view.php?id=CVE-2022-36672
01 Sep 2022 — Novel-Plus v3.6.2 was discovered to contain a hard-coded JWT key located in the project config file. This vulnerability allows attackers to create a custom user session. Se ha detectado que Novel-Plus versión v3.6.2, contiene una clave JWT embebida en el archivo de configuración del proyecto. Esta vulnerabilidad permite a atacantes crear una sesión de usuario personalizada • https://www.mesec.cn/archives/296 • CWE-798: Use of Hard-coded Credentials •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-36671
https://notcve.org/view.php?id=CVE-2022-36671
01 Sep 2022 — Novel-Plus v3.6.2 was discovered to contain an arbitrary file download vulnerability via the background file download API. Se ha detectado que Novel-Plus versión v3.6.2, contiene una vulnerabilidad de descarga de archivos arbitraria por medio de la API de descarga de archivos en segundo plano • https://www.mesec.cn/archives/291 • CWE-494: Download of Code Without Integrity Check •