Arbitrary File Upload Vulnerability
CVE-2024-24026

9.8CRITICAL

Key Information:

Vendor: Novel-Plus
Status: Novel-plus
Vendor: CVE Published:; 8 February 2024

Summary

An arbitrary file upload vulnerability is present in the Novel-Plus software, specifically in versions 4.3.0-RC1 and prior. This vulnerability is located within the SysUserController at the uploadImg() method, allowing attackers to exploit it by providing a crafted filename parameter. Successfully exploiting this flaw can enable unauthorized file downloads, resulting in potential exposure of sensitive data or system compromise. It is crucial for users and administrators of Novel-Plus to address this issue by updating to the latest software version and reviewing their security postures to mitigate any risks associated with this vulnerability.

References

https://github.com/201206030/novel-plus

https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/m...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 8, 2024

Collectors

NVD Database