CVE-2025-60298
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-08

Last updated on: 2025-10-10

Assigner: MITRE

Description
Novel-Plus up to 5.2.4 was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability via the /author/updateIndexName endpoint. This vulnerability allows authenticated attackers to inject malicious JavaScript code through the indexName parameter, which gets stored in the database and executed when other users view the affected book chapter.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-08
Last Modified
2025-10-10
Generated
2026-06-16
AI Q&A
2025-10-08
EPSS Evaluated
2026-06-14
NVD
CVE-2025-60298
EUVD
EUVD-2025-33176
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xxyopen novel-plus to 5.2.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-60298 is a Stored Cross-Site Scripting (XSS) vulnerability in Novel-Plus versions up to 5.2.4. It occurs via the /author/updateIndexName endpoint, where authenticated attackers can inject malicious JavaScript code into the indexName parameter. This malicious code is stored in the database and executed whenever other users view the affected book chapter listing. The vulnerability exists because this endpoint is not included in the application's XSS filter configuration, allowing the injected scripts to bypass sanitization and execute in users' browsers. [1]

Impact Analysis

This vulnerability can have serious impacts including session hijacking, account takeover, phishing, data theft, privilege escalation, and malware distribution. Since the malicious script executes in the context of any user viewing the affected chapter list, attackers can steal session cookies, hijack accounts, redirect users to malicious sites, or perform unauthorized actions on behalf of users. The attack requires the attacker to be authenticated as an author but can affect all users who view the compromised content. [1]

Detection Guidance

This vulnerability can be detected by monitoring for POST requests to the /author/updateIndexName endpoint containing suspicious or malicious JavaScript code in the indexName parameter. For example, you can use network traffic inspection tools or web server logs to identify such requests. A simple detection command using curl to test the vulnerability could be: curl -X POST -d "indexName=<script>alert('XSS')</script>" https://your-novel-plus-domain/author/updateIndexName -b cookie.txt where cookie.txt contains authentication cookies for an author account. Additionally, inspecting database entries for stored scripts in the indexName field or reviewing application logs for unusual input patterns can help detect exploitation attempts. [1]

Mitigation Strategies

The immediate mitigation step is to add the /author/updateIndexName endpoint to the XSS filter's urlPatterns configuration in the application.yml file of the novel-front module. This ensures that inputs to this endpoint are properly sanitized to prevent malicious script injection. Until a patch is applied, restrict author access to this endpoint or monitor and block suspicious POST requests to it. Applying input validation and output encoding on the indexName parameter will also help mitigate the risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-60298. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart