Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-7166— Novel-Plus HTTP POST Request updateUserInfo cross site scripting

CVSS 3.5 · Low EPSS 0.13% · P32
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-7166

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Novel-Plus HTTP POST Request updateUserInfo cross site scripting
Source: NVD (National Vulnerability Database)
Vulnerability Description
A vulnerability classified as problematic has been found in Novel-Plus up to 4.2.0. This affects an unknown part of the file /user/updateUserInfo of the component HTTP POST Request Handler. The manipulation of the argument nickName leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is c62da9bb3a9b3603014d0edb436146512631100d. It is recommended to apply a patch to fix this issue. The identifier VDB-249201 was assigned to this vulnerability.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Novel-Plus 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Novel-Plus是Novel-Plus公司的一个在线社交阅读和写作平台。 Novel-Plus 4.2.0及之前版本存在跨站脚本漏洞,该漏洞源于文件/user/updateUserInfo的参数nickName会导致跨站脚本。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
-Novel-Plus 4.0 -

II. Public POCs for CVE-2023-7166

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2023-7166

登录查看更多情报信息。

Same Patch Batch · n/a · 2023-12-29 · 26 CVEs total

CVE-2023-71587.3 HIGHMicroPython objslice.c slice_indices heap-based overflow
CVE-2023-71525.5 MEDIUMMicroPython modselect.c poll_set_add_fd use after free
CVE-2023-71712.4 LOWNovel-Plus Friendly Link FriendLinkController.java cross site scripting
CVE-2023-50559XiangShan 安全漏洞
CVE-2023-52240Kantega SAML SSO OIDC Kerberos 安全漏洞
CVE-2023-50071Customer Support System 安全漏洞
CVE-2023-50070Customer Support System 安全漏洞
CVE-2023-50069WireMock 安全漏洞
CVE-2023-50035PHPGurukul Small CRM 安全漏洞
CVE-2023-50572JLine 安全漏洞
CVE-2023-50571Easy Rules 安全漏洞
CVE-2023-50570IPAddress 安全漏洞
CVE-2023-31300Sesami Cash Point & Transport Optimizer 安全漏洞
CVE-2023-23634Documize 安全漏洞
CVE-2023-31302Sesami Cash Point & Transport Optimizer 安全漏洞
CVE-2023-31295Sesami Cash Point & Transport Optimizer 安全漏洞
CVE-2023-52174XnView Classic 安全漏洞
CVE-2023-52173XnView Classic 安全漏洞
CVE-2023-31299Sesami Cash Point & Transport Optimizer 安全漏洞
CVE-2023-31296Sesami Cash Point & Transport Optimizer 安全漏洞

Showing top 20 of 26 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: Novel-Plus
Same vendor: n/a
Same weakness: CWE-79

V. Comments for CVE-2023-7166

No comments yet

Leave a comment