Primary

Context

xxyopen Novel Plus Arbitrary Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability exists in xxyopen Novel Plus versions through 4.4.0. The issue arises in the PageController.java file, where user input is directly inserted into the Thymeleaf rendering path. This vulnerability allows for server-side template injection, leading to arbitrary code execution.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server.

Reproduction

The vulnerability can be reproduced by sending a crafted HTTP GET request that includes a payload exploiting the server-side template injection flaw. The payload should be URL-encoded and designed to execute a command, such as 'id', which will be returned in the response. This can be done using a tool like Burp Suite or by manually crafting the request with the appropriate headers and cookies.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.0

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.0

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

xxyopen Novel Plus Arbitrary Code Execution Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

xxyopen novel plus

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating