Login Sign Up

CVE-2021-41921

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2021-41921 is an unrestricted file upload vulnerability in novel-plus V3.6.1 that allows attackers to upload malicious files with arbitrary extensions and content. This affects all novel-plus V3.6.1 installations and can lead to remote code execution on the server.

💻 Affected Systems

Products:
  • novel-plus
Versions: V3.6.1
Operating Systems: All platforms running novel-plus
Default Config Vulnerable: ⚠️ Yes
Notes: All novel-plus V3.6.1 installations are vulnerable by default. No special configuration required.

📦 What is this software?

Novel Plus by Xxyopen

View all CVEs affecting Novel Plus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise with attacker gaining full control, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Webshell upload leading to command execution, data manipulation, and lateral movement within the network.

🟢

If Mitigated

File uploads blocked or sanitized, preventing malicious file execution while maintaining legitimate upload functionality.

🌐 Internet-Facing: HIGH - Directly exploitable from the internet without authentication.
🏢 Internal Only: HIGH - Equally exploitable from internal networks if accessible.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple file upload with malicious extension bypass. No authentication required. Public GitHub issues demonstrate the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after V3.6.1

Vendor Advisory: https://github.com/201206030/novel-plus/issues/62

Restart Required: Yes

Instructions:

1. Upgrade novel-plus to latest version. 2. Restart the application server. 3. Verify file upload restrictions are properly implemented.

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block file uploads with dangerous extensions at the WAF level

WAF-specific configuration to block .php, .jsp, .asp, .exe, .sh uploads

File Upload Directory Restrictions

linux

Configure web server to prevent execution in upload directories

nginx: location /uploads/ { deny all; }
Apache: <Directory /uploads> php_flag engine off </Directory>

🧯 If You Can't Patch

  • Disable file upload functionality completely in novel-plus configuration
  • Implement strict file type validation and store uploaded files outside web root with random names

🔍 How to Verify

Check if Vulnerable:

Attempt to upload a file with .php extension to novel-plus upload endpoint. If accepted, system is vulnerable.

Check Version:

Check novel-plus version in application interface or configuration files

Verify Fix Applied:

Attempt same upload test - should be rejected with proper file type validation error.

📡 Detection & Monitoring

Log Indicators:

  • File uploads with suspicious extensions (.php, .jsp, .asp)
  • Large number of upload attempts
  • Uploads to unusual paths

Network Indicators:

  • POST requests to upload endpoints with executable content
  • Unusual outbound connections from web server

SIEM Query:

source="web_logs" AND (uri_path="/upload" OR uri_path="/file/upload") AND (file_extension="php" OR file_extension="jsp" OR file_extension="asp")

📊 Metadata

CVE ID: CVE-2021-41921
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: April 28, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41921, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)