CVE-2024-24021 – A SQL injection vulnerability in Novel-Plus v4.... (How to Fix)

Q: What is the severity of CVE-2024-24021?

CVE-2024-24021 has a CVSS score of 9.8 (CRITICAL). A SQL injection vulnerability in Novel-Plus v4.3.0-RC1 and earlier allows attackers to execute arbitrary SQL commands by manipulating offset, limit, and sort parameters in the /novel/userFeedback/list endpoint. This can lead to data theft, modification, or deletion. All users running affected versions are impacted.

📋 TL;DR

A SQL injection vulnerability in Novel-Plus v4.3.0-RC1 and earlier allows attackers to execute arbitrary SQL commands by manipulating offset, limit, and sort parameters in the /novel/userFeedback/list endpoint. This can lead to data theft, modification, or deletion. All users running affected versions are impacted.

💻 Affected Systems

Products:

Novel-Plus

Versions: v4.3.0-RC1 and all prior versions

Operating Systems: Any OS running Novel-Plus (typically Linux)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default configuration of affected versions.

📦 What is this software?

Novel Plus by Xxyopen

View all CVEs affecting Novel Plus →

Novel Plus by Xxyopen

View all CVEs affecting Novel Plus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data exfiltration, privilege escalation, or remote code execution via database functions.

🟠

Likely Case

Unauthorized access to sensitive user data stored in the database, including personal information and feedback content.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible via web interface, making internet-facing instances immediately exploitable.

🏢 Internal Only: HIGH - Even internal instances are vulnerable to authenticated or network-accessible attackers.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted HTTP requests to the vulnerable endpoint with malicious parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

Check the official Novel-Plus repository for security updates. If unavailable, implement workarounds immediately.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side validation to reject malicious offset, limit, and sort parameters containing SQL syntax.

Modify the list endpoint handler to validate parameters using regex patterns (e.g., allow only digits for offset/limit, safe strings for sort).

WAF Rule

all

Deploy a web application firewall rule to block SQL injection patterns in the /novel/userFeedback/list endpoint.

Add WAF rule: Block requests to /novel/userFeedback/list containing SQL keywords (UNION, SELECT, INSERT, etc.) in parameters.

🧯 If You Can't Patch

Restrict access to the /novel/userFeedback/list endpoint using network ACLs or authentication requirements.
Monitor and log all access to the vulnerable endpoint for suspicious parameter patterns.

🔍 How to Verify

Check if Vulnerable:

Test by sending a request to /novel/userFeedback/list with parameters like offset=1' OR '1'='1 and checking for SQL errors or unexpected behavior.

Check Version:

Check the Novel-Plus version in the application's configuration files or admin interface.

Verify Fix Applied:

After applying fixes, retest with malicious parameters to ensure no SQL injection occurs and normal functionality remains.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /novel/userFeedback/list with parameters containing SQL keywords or special characters.
Database error logs showing SQL syntax errors from the Novel-Plus application.

Network Indicators:

Unusual spikes in traffic to the /novel/userFeedback/list endpoint.
Outbound connections from the Novel-Plus server to unknown IPs indicating data exfiltration.

SIEM Query:

source="novel-plus.log" AND uri="/novel/userFeedback/list" AND (param="*UNION*" OR param="*SELECT*" OR param="*' OR '*")

📊 Metadata

CVE ID: CVE-2024-24021

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: February 8, 2024

Last Updated: June 9, 2025

🔗 References

https://github.com/201206030/novel-plus Product
https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/24021.txt Third Party Advisory
https://github.com/201206030/novel-plus Product
https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/24021.txt Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-24021, you might also want to check these: