CVE-2024-24021 is a critical SQL injection vulnerability identified in Novel-Plus version 4.3.0-RC1 and earlier. The vulnerability arises from improper sanitization of user-supplied input parameters—specifically offset, limit, and sort—within the /novel/userFeedback/list endpoint. An attacker can craft malicious input to manipulate the underlying SQL queries executed by the application. This manipulation can lead to unauthorized access, modification, or deletion of database records, potentially exposing sensitive user data or allowing further compromise of the application environment. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), indicating a classic SQL injection flaw. The CVSS v3.1 score of 9.8 reflects the high severity, with an attack vector over the network (AV:N), no required privileges (PR:N), no user interaction (UI:N), and full impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no known exploits are currently reported in the wild, the ease of exploitation and critical impact make this a significant threat to any organization using the affected software. The lack of vendor or product identification beyond Novel-Plus limits detailed attribution but does not diminish the urgency of addressing this vulnerability.

For European organizations, the impact of this vulnerability can be severe, especially for those relying on Novel-Plus or similar platforms for managing user feedback or content. Successful exploitation could lead to data breaches involving personal data protected under GDPR, resulting in regulatory fines and reputational damage. The full compromise of database integrity and availability could disrupt business operations, erode customer trust, and expose organizations to further attacks such as privilege escalation or lateral movement within networks. Given the critical CVSS score and the absence of required authentication or user interaction, attackers can remotely exploit this vulnerability at scale, increasing the risk to organizations with internet-facing deployments. The potential for data exfiltration or destructive actions makes this a high-priority threat for sectors handling sensitive or regulated information, including finance, healthcare, and public services within Europe.

Organizations should immediately audit their use of Novel-Plus, particularly versions 4.3.0-RC1 and earlier, and prioritize upgrading to a patched version once available. In the absence of an official patch, applying web application firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting offset, limit, and sort parameters can provide temporary protection. Developers should implement strict input validation and parameterized queries or prepared statements to prevent injection. Conducting thorough code reviews and penetration testing focusing on SQL injection vectors is recommended. Additionally, monitoring database logs for anomalous queries and setting up alerting for unusual activity can help detect exploitation attempts early. Organizations should also review their incident response plans to handle potential data breaches stemming from this vulnerability.