CVE-2023-7166

Name of the Vulnerable Software and Affected Versions Novel-Plus versions up to 4.2.0

Description A problematic vulnerability has been found in Novel-Plus, affecting an unknown part of the file /user/updateUserInfo of the component HTTP POST Request Handler. The manipulation of the nickName argument leads to cross-site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Recommendations To fix this issue, apply a patch to Novel-Plus versions up to 4.2.0. As a temporary workaround, consider restricting access to the /user/updateUserInfo endpoint or disabling the manipulation of the nickName argument until a patch is available.