CVE-2025-60298

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-60298
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-60298.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-60298
Published
2025-10-08T13:15:34.627Z
Modified
2026-04-10T05:33:33.045136Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Novel-Plus up to 5.2.4 was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability via the /author/updateIndexName endpoint. This vulnerability allows authenticated attackers to inject malicious JavaScript code through the indexName parameter, which gets stored in the database and executed when other users view the affected book chapter.

References

Affected packages

Git / github.com/201206030/novel-plus

Affected ranges

Type
GIT
Repo
https://github.com/201206030/novel-plus
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
1ef64edcda1c158385a38c28c4c1fbdb16fc14a7
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "5.2.4"
        }
    ]
}

Affected versions

4.*
4.1.0
4.2.0
v1.*
v1.0.0
v1.1.0
v1.1.1
v2.*
v2.0.0
v2.0.2
v2.1.2
v2.5.0
v2.6.0
v2.8.0
v3.*
v3.0.2
v3.1.0
v3.3.0
v3.5.0
v3.5.1
v3.5.3
v3.5.4
v3.6.0
v3.6.1
v3.6.2
v4.*
v4.0.0
v4.3.0-RC1
v4.4.0
v5.*
v5.0.0
v5.1.0
v5.1.1
v5.1.2
v5.1.3
v5.1.5
v5.2.0
v5.2.1
v5.2.2
v5.2.3
v5.2.4

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-60298.json"