N/A

DOM-based Cross-Site Scripting (XSS) vulnerability in 201206030 novel V3.5.0 allows remote attackers to execute arbitrary JavaScript code or disclose sensitive information (e.g., user session cookies) via a crafted "wvstest" parameter in the URL or malicious script injection into window.localStorage. The vulnerability arises from insufficient validation and encoding of user-controllable data in the book comment module: unfiltered user input is stored in the backend database (book_comment table, commentContent field) and returned via API, then rendered directly into the page DOM via Vue 3's v-html directive without sanitization. Even if modern browsers' built-in XSS filters block pop-up alerts, attackers can use concealed payloads to bypass interception and achieve actual harm.

N/A

N/A

novel 安全漏洞

novel是xxyopen开源的一个开源小说系统。 novel V3.5.0版本存在安全漏洞，该漏洞源于对用户可控数据验证和编码不足，可能导致执行任意JavaScript代码或泄露敏感信息。

N/A

N/A