CVE-2024-24025

Name of the Vulnerable Software and Affected Versions Novel-Plus versions 4.3.0-RC1 and prior

Description An arbitrary file upload issue exists, allowing an attacker to perform arbitrary file downloads by passing a specially crafted filename parameter. This issue is related to the upload() function in the FileController at com.java2nb.common.controller.FileController.

Recommendations For Novel-Plus versions 4.3.0-RC1 and prior, consider disabling the upload() function in the FileController as a temporary workaround until a patch is available. Restrict access to the FileController to minimize the risk of exploitation. Avoid using the filename parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.