Authentication Bypass in Novel-plus by xxyopen
CVE-2025-6533

5.6MEDIUM

Key Information:

Vendor: xxyopen
Status: Novel-plus
Vendor: CVE Published:; 24 June 2025

What is CVE-2025-6533?

A significant vulnerability has been identified in the Novel-plus product by xxyopen, specifically in the ajaxLogin function of the CATCHA Handler. This flaw allows for an unauthorized authentication bypass through a capture-replay attack method, enabling potential remote access to sensitive areas of the application. Attackers may find it challenging to exploit this vulnerability, but the risk is compounded as public disclosure of the exploit has taken place. Despite early notifications to the vendor about this vulnerability, no response has been received.

References

https://blog.0xd00.com/blog/captcha-replay-attack-lead-to...

https://vuldb.com/?ctiid.313652

CVSS V3.1

Score:

5.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2025