CVE-2025-4017 – This vulnerability in Novel-Plus allows unautho... (How to Fix)

Q: What is the severity of CVE-2025-4017?

CVE-2025-4017 has a CVSS score of 4.3 (MEDIUM). This vulnerability in Novel-Plus allows unauthorized access to log viewing functionality due to improper authorization in the LogController. Attackers can remotely view system logs without proper permissions. All Novel-Plus deployments up to commit 0e156c04b4b7ce0563bef6c97af4476fcda8f160 are affected.

📋 TL;DR

This vulnerability in Novel-Plus allows unauthorized access to log viewing functionality due to improper authorization in the LogController. Attackers can remotely view system logs without proper permissions. All Novel-Plus deployments up to commit 0e156c04b4b7ce0563bef6c97af4476fcda8f160 are affected.

💻 Affected Systems

Products:

Novel-Plus

Versions: All versions up to commit 0e156c04b4b7ce0563bef6c97af4476fcda8f160

Operating Systems: All platforms running Novel-Plus

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the admin interface functionality for log viewing. No specific OS requirements mentioned.

📦 What is this software?

Novel Plus by Xxyopen

View all CVEs affecting Novel Plus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain unauthorized access to sensitive log data containing user activities, system events, and potentially credentials or other sensitive information.

🟠

Likely Case

Unauthorized viewing of system logs leading to information disclosure about user activities and system operations.

🟢

If Mitigated

Limited information disclosure with proper network segmentation and access controls in place.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploit details are available.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this to gain unauthorized access to log information.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available on multiple sources including vuldb.com and cnblogs.com. Attack requires some level of access but not full authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None - vendor did not respond to disclosure

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Access Control Restriction

all

Implement strict access controls to restrict access to the log viewing functionality to authorized users only.

Network Segmentation

all

Restrict network access to the Novel-Plus admin interface using firewall rules or network segmentation.

🧯 If You Can't Patch

Implement strict authentication and authorization checks for all admin functions
Monitor access logs for unauthorized attempts to access log viewing functionality

🔍 How to Verify

Check if Vulnerable:

Check if your Novel-Plus version is at or before commit 0e156c04b4b7ce0563bef6c97af4476fcda8f160 by examining the git commit history or version metadata.

Check Version:

Check git log or version files in the Novel-Plus installation directory

Verify Fix Applied:

Test if unauthorized users can access the log viewing functionality at the affected endpoint.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to /admin/log endpoints
Multiple failed authentication attempts followed by successful log access

Network Indicators:

Unusual traffic patterns to admin log endpoints from unauthorized IPs

SIEM Query:

source="novel-plus" AND (uri="/admin/log" OR uri CONTAINS "log") AND user="unauthorized"

📊 Metadata

CVE ID: CVE-2025-4017

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-266

EPSS Score: 0.06% exploit probability (18.2th percentile)

Published: April 28, 2025

Last Updated: October 10, 2025

🔗 References

https://vuldb.com/?ctiid.306370 Permissions Required,VDB Entry
https://vuldb.com/?id.306370 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.558376 Third Party Advisory,VDB Entry
https://www.cnblogs.com/aibot/p/18827507 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-4017, you might also want to check these: