Novel-Plus Stored Cross-Site Scripting Vulnerability in Author Update Index Name Endpoint

A stored cross-site scripting vulnerability has been identified in Novel-Plus versions through 5.2.4. The issue arises in the '/author/updateIndexName' endpoint, where authenticated attackers can inject malicious JavaScript into the 'indexName' parameter. This injected script is stored in the database and executed when other users access the corresponding book chapter. The vulnerability exists because the endpoint is not properly filtered for XSS, allowing the injection and execution of harmful scripts.

Impact

Exploitation of this vulnerability allows for the execution of injected scripts in the context of the user viewing the affected chapter, potentially leading to session hijacking, unauthorized actions on behalf of the user, and access to sensitive information such as credentials and personal data through the DOM.

Reproduction

To reproduce this vulnerability, authenticate as an author and create a book with chapters. Then, send a POST request to the '/author/updateIndexName' endpoint with a malicious payload in the 'indexName' parameter, such as a script tag containing JavaScript code, like an alert. The injected script will be stored in the database without any sanitization. When any user views the book chapter listing, the stored XSS payload will execute, demonstrating the vulnerability.

Remediation

To address this vulnerability, add the '/author/updateIndexName' endpoint to the application's XSS filter configuration. This can be done by updating the 'application.yml' file in the 'novel-front' module to include the endpoint in the 'urlPatterns' list.