201206030

**Name of the Vulnerable Software and Affected Versions** Novel-Plus versions up to 5.2.4 **Description** The software contains a Stored Cross-Site Scripting (XSS) issue. Authenticated attackers can inject malicious JavaScript code through the `indexName` parameter of the `/author/updateIndexName` API endpoint. This code is stored in the database and executed when other users view the affected book chapter. **Recommendations** Update Novel-Plus to a version later than 5.2.4.

**Name of the Vulnerable Software and Affected Versions** Novel-Plus version 5.2.0 **Description** An authenticated user can inject malicious JavaScript through the `replyContent` parameter when replying to a book comment via the `/book/addCommentReply` endpoint. The malicious payload is stored in the database and executed in other users’ browsers when they view the affected comment thread. This is a Stored Cross-Site Scripting issue. **Recommendations** Apply input validation and output encoding to the `replyContent` parameter in the `/book/addCommentReply` endpoint.

**Name of the Vulnerable Software and Affected Versions** Novel-Plus versions 4.3.0-RC1 and prior **Description** An arbitrary File upload vulnerability exists in the `uploadImg()` function of `SysUserController` at `com.java2nb.system.controller.SysUserController`. This allows an attacker to pass in a specially crafted `filename` parameter to perform arbitrary File download. **Recommendations** For Novel-Plus versions 4.3.0-RC1 and prior, as a temporary workaround, consider disabling the `uploadImg()` function until a patch is available. Restrict access to the `SysUserController` to minimize the risk of exploitation. Avoid using the `filename` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.