Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-60298

Novel-Plus up to 5.2.4 was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability via the /author/updateIndexName endpoint. This vulnerability allows authenticated attackers to inject malicious JavaScript code through the indexName parameter, which gets stored in the database and executed when other users view the affected book chapter.

Published

2025-10-08T13:15:34.627

Last Modified

2025-10-10T16:18:15.537

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 5.4 (MEDIUM)

Weaknesses

Type: Secondary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	xxyopen	novel-plus	≤ 5.2.4	Yes

References

https://github.com/201206030/novel-plus Product ([email protected])
https://notes.sjtu.edu.cn/s/FB0dX82qf Exploit, Third Party Advisory ([email protected])
https://notes.sjtu.edu.cn/s/FB0dX82qf# Exploit, Third Party Advisory (134c704f-9b21-4f2e-91b3-4a467353bcc0)