CVE-2025-65442 is a DOM-based Cross-Site Scripting vulnerability identified in the 201206030 novel V3.5.0 software, specifically within its book comment module. The root cause is the insufficient validation and encoding of user-controllable data, particularly the "wvstest" parameter in URLs and malicious script injections into window.localStorage. User input submitted via the commentContent field in the backend book_comment database table is returned through an API and rendered directly into the page DOM using Vue 3's v-html directive without proper sanitization. This direct insertion of untrusted content into the DOM enables attackers to execute arbitrary JavaScript code in the context of the victim's browser. The vulnerability allows attackers to steal sensitive information such as session cookies or perform actions on behalf of the user, compromising confidentiality and integrity. Exploitation requires the victim to interact with a crafted URL or malicious script, but no authentication or elevated privileges are needed. Modern browser XSS filters may block simple alert payloads, but attackers can craft stealthy scripts to evade detection and achieve malicious objectives. The CVSS 3.1 score of 6.1 reflects a network attack vector, low attack complexity, no privileges required, user interaction needed, and a scope change due to the vulnerability affecting the client-side DOM. No patches or known exploits are reported yet, indicating the need for proactive mitigation.

For European organizations using the affected 201206030 novel V3.5.0 software, this vulnerability poses a significant risk to user data confidentiality and application integrity. Successful exploitation could lead to session hijacking, unauthorized actions performed on behalf of users, and potential data leakage. This is particularly concerning for organizations handling sensitive or personal data under GDPR regulations, as breaches could result in regulatory penalties and reputational damage. The vulnerability's client-side nature means that any user interacting with the vulnerable application could be targeted, increasing the attack surface. Additionally, the ability to inject scripts via localStorage or crafted URLs could facilitate phishing or drive-by attacks. Although no known exploits exist currently, the medium severity and ease of exploitation without authentication make it a credible threat. European organizations relying on this software for customer-facing or internal applications should prioritize addressing this vulnerability to prevent potential data breaches and service disruptions.

To mitigate CVE-2025-65442, organizations should implement strict input validation and output encoding for all user-controllable data, especially within the book comment module. Specifically, avoid using Vue 3's v-html directive to render untrusted content; instead, use safer rendering methods that automatically escape HTML or employ robust sanitization libraries such as DOMPurify to cleanse input before storage and rendering. Review and sanitize any data stored in window.localStorage before usage. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. Conduct thorough code audits focusing on client-side rendering logic and API responses to ensure no unsanitized data is injected into the DOM. Educate users to be cautious about clicking suspicious links, and monitor web application logs for unusual parameter usage or injection attempts. Finally, maintain an incident response plan to quickly address any exploitation attempts once patches or updates become available from the vendor.