CVE-2024-24019 is a critical SQL injection vulnerability identified in Novel-Plus version 4.3.0-RC1 and all prior versions. The vulnerability arises from improper sanitization of user-supplied input parameters—specifically the offset, limit, and sort parameters—within the /system/roleDataPerm/list endpoint. An attacker can craft malicious input to manipulate the underlying SQL queries executed by the application, allowing unauthorized access to or modification of the database. This vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), which is a common and dangerous flaw that can lead to full compromise of the database confidentiality, integrity, and availability. The CVSS v3.1 base score is 9.8, indicating a critical severity with network attack vector, no privileges required, no user interaction needed, and impacts on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the ease of exploitation and the critical impact make this vulnerability a high priority for remediation. The lack of vendor or product details limits the ability to identify the exact software vendor but the versioning indicates a specific product named Novel-Plus, likely a specialized or niche software solution. The vulnerability allows attackers to execute arbitrary SQL commands remotely, potentially leading to data leakage, data corruption, or full system compromise.

For European organizations using Novel-Plus software, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of sensitive data, including personal data protected under GDPR, resulting in legal and financial penalties. The integrity of critical business data could be compromised, affecting operational reliability and trustworthiness of systems. Availability could also be impacted if attackers execute destructive SQL commands, causing service outages. Given the critical CVSS score and the lack of required authentication or user interaction, attackers can remotely exploit this vulnerability at scale, potentially targeting multiple organizations simultaneously. This could be particularly damaging for sectors with high data sensitivity such as finance, healthcare, and government institutions across Europe. Additionally, the breach of personal data could lead to reputational damage and regulatory scrutiny. The absence of known exploits in the wild currently provides a small window for proactive mitigation before widespread attacks emerge.

Organizations should immediately identify if they are running Novel-Plus version 4.3.0-RC1 or earlier. Since no official patch links are provided, it is critical to contact the software vendor or developer for an official security update or patch addressing this SQL injection flaw. In the interim, implement strict input validation and sanitization on the offset, limit, and sort parameters at the application or web server level to block malicious payloads. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the /system/roleDataPerm/list endpoint. Conduct thorough code reviews and penetration testing focused on SQL injection vectors. Monitor logs for unusual query patterns or errors indicative of injection attempts. Restrict database user permissions to the minimum necessary to limit the impact of potential exploitation. Additionally, ensure regular backups of critical data are maintained to enable recovery in case of data corruption or deletion. Finally, raise awareness among IT and security teams about this vulnerability to ensure rapid response and mitigation.