CVE-2025-6534
BaseFortify
Publication date: 2025-06-24
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xxyopen | novel-plus | to 5.1.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| CWE-99 | The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-6534 is an Improper Authorization vulnerability in the novel-plus software (version up to 5.1.3). It affects the file deletion functionality in the remove endpoint of FileController.java. The vulnerability arises because the system does not properly verify whether the authenticated user owns the file they are trying to delete. The intended permission check is commented out in the source code, allowing any authenticated user to delete arbitrary files by providing or guessing file IDs. This is an example of an Insecure Direct Object Reference (IDOR) attack, where unauthorized users can delete files they should not have access to. [1, 2]
How can this vulnerability impact me? :
This vulnerability allows any authenticated user to delete arbitrary files on the system without proper authorization. This can lead to loss of important data, disruption of services, and compromise of system integrity and availability. Since the authorization checks are missing, attackers can exploit this flaw remotely by guessing file IDs, potentially causing significant damage to the system and its data. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized or suspicious POST requests to the /remove endpoint of the novel-plus application, especially those that include file ID parameters. Since the vulnerability allows any authenticated user to delete arbitrary files by guessing file IDs, commands or scripts that log or analyze HTTP POST requests to /remove with file ID parameters can help detect exploitation attempts. For example, using tools like curl or tcpdump to capture and inspect traffic, or reviewing application logs for unexpected file deletion requests. Specific commands might include: 1) Using curl to test the endpoint: curl -X POST -d "id=<file_id>" https://<target>/remove -H "Cookie: <auth_cookie>" 2) Using grep on server logs to find POST requests to /remove: grep 'POST /remove' /var/log/nginx/access.log 3) Using tcpdump to capture HTTP POST traffic to the server on port 80 or 443: tcpdump -i eth0 tcp port 80 and 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354' 4) Reviewing application logs for file deletion events without proper authorization. However, no specific detection commands are provided in the resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable /remove endpoint to trusted users only, ensuring that only authorized users can authenticate and access the file deletion functionality. Since the vulnerability arises from a missing authorization check (the @RequiresPermissions annotation is commented out), re-enabling or implementing proper authorization checks on the remove endpoint is critical. If patching or updating the software is not immediately possible, consider disabling the file deletion feature or restricting it via network controls or application firewall rules. Monitoring and alerting on suspicious deletion attempts is also recommended. Ultimately, replacing the affected component with a secure alternative or applying a vendor patch (if available) is advised. No official patch or vendor response is currently available. [2, 3]