CVE-2024-24023 is a critical SQL injection vulnerability identified in Novel-Plus version 4.3.0-RC1 and earlier. The vulnerability arises from improper sanitization of user-supplied parameters—specifically offset, limit, and sort—passed to the /novel/bookContent/list API endpoint. An attacker can craft malicious input to manipulate SQL queries executed by the backend database, enabling unauthorized data access, data modification, or deletion. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The CVSS v3.1 base score of 9.8 reflects the vulnerability's high impact on confidentiality, integrity, and availability, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). This means any remote attacker can exploit the flaw without authentication or user involvement. Although no public exploits have been reported yet, the vulnerability's characteristics make it a prime target for attackers seeking to compromise Novel-Plus deployments. The lack of available patches at the time of disclosure increases the urgency for organizations to implement interim mitigations and monitor their environments closely.

The exploitation of CVE-2024-24023 can have severe consequences for organizations using Novel-Plus. Attackers can extract sensitive data from the database, including user information, proprietary content, or business-critical data, leading to confidentiality breaches. They can also alter or delete data, compromising data integrity and potentially disrupting service availability. The ability to execute arbitrary SQL commands remotely without authentication increases the risk of widespread exploitation. This can result in data loss, reputational damage, regulatory penalties, and operational downtime. Given Novel-Plus's role in digital content delivery, affected organizations may face significant business impact, including loss of customer trust and competitive disadvantage. The vulnerability's critical severity underscores the need for immediate attention to prevent exploitation and mitigate potential damages.

To mitigate CVE-2024-24023, organizations should first check for any official patches or updates from Novel-Plus and apply them promptly once available. In the absence of patches, implement strict input validation and sanitization on the offset, limit, and sort parameters to ensure only expected numeric or predefined values are accepted. Employ parameterized queries or prepared statements in the application code to prevent SQL injection. Deploy Web Application Firewalls (WAFs) with rules specifically designed to detect and block SQL injection attempts targeting the affected endpoint. Monitor database logs and application logs for unusual query patterns or errors indicative of injection attempts. Restrict database user permissions to the minimum necessary to limit the impact of a successful injection. Additionally, conduct regular security assessments and penetration testing focused on injection vulnerabilities. Educate development teams on secure coding practices to prevent similar issues in future releases.