CVE-2025-6535 is a SQL Injection vulnerability identified in the xxyopen novel-plus software, specifically affecting versions 5.1.0 through 5.1.3. The flaw resides in the User Management Module within the file novel-admin/src/main/resources/mybatis/system/UserMapper.xml. The vulnerability is triggered by improper sanitization of the 'sort' or 'order' arguments passed to the 'list' function, allowing an attacker to inject malicious SQL code. This injection can be exploited remotely without requiring user interaction or prior authentication, making it accessible to unauthenticated remote attackers. The vulnerability has been publicly disclosed, and although no known exploits have been observed in the wild yet, the availability of public exploit code increases the risk of exploitation. The vendor has not responded to notifications regarding this issue, and no official patches or mitigations have been released. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the moderate impact on confidentiality, integrity, and availability, with low attack complexity and no authentication required. The vulnerability does not involve scope changes or security requirements beyond the affected component. Given the nature of SQL Injection, successful exploitation could lead to unauthorized data access, data modification, or denial of service through database manipulation, depending on the privileges of the database user context in which the application operates.

For European organizations using xxyopen novel-plus versions 5.1.0 to 5.1.3, this vulnerability poses a risk of unauthorized access to sensitive user data managed by the User Management Module. Exploitation could lead to data leakage, corruption, or deletion, potentially impacting user privacy and operational continuity. Since the vulnerability allows remote exploitation without authentication, attackers could leverage it to compromise internal systems, escalate privileges, or pivot to other network segments. This is particularly concerning for organizations in sectors with stringent data protection requirements such as finance, healthcare, and public administration. The lack of vendor response and absence of patches increases exposure time, raising the likelihood of exploitation attempts. Additionally, if the affected software is integrated into larger enterprise systems or used in multi-tenant environments, the impact could extend beyond a single organization, affecting partners or customers. The medium CVSS score indicates moderate risk, but the real-world impact depends on deployment context, database permissions, and compensating controls in place.

1. Immediate mitigation should include implementing Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the 'sort' and 'order' parameters in the User Management Module endpoints. 2. Conduct a thorough code review and input validation enhancement for all parameters that influence SQL queries, especially those controlling sorting and ordering, to enforce strict whitelisting of allowed values. 3. Employ parameterized queries or prepared statements in the affected MyBatis XML mappings to eliminate direct concatenation of user input into SQL statements. 4. Restrict database user privileges used by novel-plus to the minimum necessary, avoiding elevated permissions that could exacerbate the impact of an injection attack. 5. Monitor application logs and database logs for anomalous query patterns or errors indicative of injection attempts. 6. If feasible, isolate the affected application components within segmented network zones to limit lateral movement in case of compromise. 7. Engage with the vendor or community to seek patches or updates; if none are forthcoming, consider migrating to alternative software or versions not affected by this vulnerability. 8. Educate development and operations teams about secure coding practices and the importance of timely patch management for third-party components.