CVE-2024-24018 is a critical SQL injection vulnerability identified in Novel-Plus version 4.3.0-RC1 and earlier. The vulnerability arises from improper sanitization of user-supplied input parameters—specifically 'offset', 'limit', and 'sort'—in the /system/dataPerm/list endpoint. An attacker can craft malicious input to manipulate the underlying SQL queries executed by the application, enabling unauthorized access to or modification of the database. This vulnerability is classified under CWE-89, which pertains to improper neutralization of special elements used in SQL commands. The CVSS v3.1 base score is 9.8, indicating a critical severity with network attack vector, no privileges required, no user interaction needed, and impacts confidentiality, integrity, and availability. Exploitation could lead to data leakage, data corruption, or denial of service. Although no known exploits are reported in the wild yet, the ease of exploitation and high impact make this a significant threat. No official patches or vendor information are currently available, increasing the urgency for mitigation and monitoring.

For European organizations, the impact of this vulnerability could be severe. If Novel-Plus is used within critical infrastructure, government agencies, healthcare, finance, or other sectors handling sensitive data, exploitation could result in unauthorized data disclosure, manipulation of records, or service disruption. This could lead to regulatory non-compliance under GDPR due to data breaches, financial losses, reputational damage, and operational downtime. The ability to exploit remotely without authentication or user interaction increases the risk of widespread attacks. Additionally, the lack of available patches may force organizations to implement temporary mitigations, potentially affecting business continuity. Attackers could leverage this vulnerability to gain persistent access or pivot within networks, amplifying the threat landscape for European entities.

Given the absence of official patches, European organizations should immediately implement the following mitigations: 1) Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the offset, limit, and sort parameters in /system/dataPerm/list requests. 2) Conduct thorough input validation and sanitization on all user-supplied parameters at the application level, using parameterized queries or prepared statements to prevent SQL injection. 3) Restrict access to the affected endpoint via network segmentation or IP whitelisting where feasible. 4) Monitor logs and network traffic for unusual query patterns or spikes in requests to the vulnerable endpoint. 5) Engage with the vendor or community to obtain patches or updates as soon as they become available. 6) Perform regular security assessments and penetration testing focused on injection flaws. 7) Educate development and security teams about secure coding practices to prevent similar vulnerabilities in future releases.