CVE-2025-65442

Name of the Vulnerable Software and Affected Versions 201206030 novel version 3.5.0

Description A DOM-based Cross-Site Scripting (XSS) issue exists in the book comment module due to insufficient validation and encoding of user-controllable data. Unfiltered input is stored in the commentContent field of the book comment table and returned via an API, where it is rendered into the page DOM using the Vue 3 v-html directive without sanitization. Remote attackers can execute arbitrary JavaScript code or disclose sensitive information, such as user session cookies, by using a crafted wvstest parameter in the URL or injecting malicious scripts into window.localStorage. Attackers may use concealed payloads to bypass browser-based XSS filters.

Recommendations For version 3.5.0, sanitize all user-controllable data before rendering it via the v-html directive and implement strict validation for the wvstest parameter. As a temporary workaround, restrict the use of the book comment module or disable the v-html directive for user-generated content until a permanent fix is applied.