CVE-2025-60298 is a stored Cross-Site Scripting (XSS) vulnerability identified in Novel-Plus software versions up to 5.2.4. The vulnerability exists in the /author/updateIndexName endpoint, where the indexName parameter is insufficiently sanitized, allowing authenticated attackers to inject malicious JavaScript code. This injected code is stored persistently in the backend database and executed in the browsers of users who subsequently view the affected book chapter. The attack vector requires the attacker to be authenticated, which limits exploitation to users with some level of access, but does not require further user interaction beyond viewing the compromised content. The consequences of exploitation include theft of session cookies, enabling account takeover, unauthorized actions performed with the victim’s privileges, and potential spread of malware or phishing attacks. Although no public exploits have been reported yet, the vulnerability poses a significant risk due to the nature of stored XSS and the potential for lateral movement within affected environments. The lack of a CVSS score indicates the need for a manual severity assessment. The vulnerability affects organizations using Novel-Plus for digital content management, particularly those that allow multiple authors or editors to update book chapters. The absence of patch links suggests that vendors may not have released an official fix at the time of publication, emphasizing the need for immediate mitigation steps.

For European organizations, exploitation of this vulnerability could lead to significant confidentiality breaches, including theft of user credentials and session tokens, enabling attackers to impersonate legitimate users. Integrity of content could be compromised by unauthorized script execution, potentially leading to misinformation or defacement of digital publications. Availability impact is limited but could occur if attackers use the vulnerability to inject disruptive scripts causing application malfunction or denial of service. Organizations in sectors such as education, publishing, and research that rely on Novel-Plus for collaborative content creation are particularly at risk. The requirement for authentication reduces the risk from external attackers but increases the threat from insider threats or compromised accounts. The vulnerability could also facilitate broader attacks by serving as an initial foothold for lateral movement within networks. Given the collaborative nature of the affected platform, the scope of impact could be broad within an organization, affecting multiple users and departments.

1. Monitor for and restrict access to the /author/updateIndexName endpoint to trusted users only, employing strict access controls and multi-factor authentication to reduce the risk of compromised accounts. 2. Implement robust input validation and output encoding on the indexName parameter to prevent injection of malicious scripts. 3. Apply Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 4. Conduct regular security audits and code reviews focusing on input handling in web applications. 5. Educate users and administrators about the risks of stored XSS and encourage vigilance when interacting with user-generated content. 6. Deploy web application firewalls (WAF) with rules designed to detect and block XSS payloads targeting the affected endpoint. 7. Stay alert for vendor patches or updates and apply them promptly once available. 8. Review and limit the privileges of users who can update book chapters to minimize potential attack vectors.