Search criteria
13 vulnerabilities by namelessmc
CVE-2025-54117 (GCVE-0-2025-54117)
Vulnerability from cvelistv5 – Published: 2025-08-18 16:02 – Updated: 2025-08-18 17:37
VLAI?
Title
NamelessMC allows Stored Cross-Site Scripting (XSS) in dashboard text editor
Summary
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Cross-site scripting (XSS) vulnerability in NamelessMC before 2.2.3 allows remote authenticated attackers to inject arbitrary web script or HTML via the dashboard text editor component. This vulnerability is fixed in 2.2.4.
Severity ?
9.1 (Critical)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| NamelessMC | Nameless |
Affected:
< 2.2.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54117",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-18T17:36:51.866673Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-18T17:37:06.341Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Nameless",
"vendor": "NamelessMC",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NamelessMC is a free, easy to use \u0026 powerful website software for Minecraft servers. Cross-site scripting (XSS) vulnerability in NamelessMC before 2.2.3 allows remote authenticated attackers to inject arbitrary web script or HTML via the dashboard text editor component. This vulnerability is fixed in 2.2.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-18T16:02:48.176Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-gp3j-j84w-vqxx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-gp3j-j84w-vqxx"
},
{
"name": "https://github.com/NamelessMC/Nameless/commit/0e77706b2966dd9f2e30502126d6581ecc001f09",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NamelessMC/Nameless/commit/0e77706b2966dd9f2e30502126d6581ecc001f09"
}
],
"source": {
"advisory": "GHSA-gp3j-j84w-vqxx",
"discovery": "UNKNOWN"
},
"title": "NamelessMC allows Stored Cross-Site Scripting (XSS) in dashboard text editor"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54117",
"datePublished": "2025-08-18T16:02:48.176Z",
"dateReserved": "2025-07-16T23:53:40.507Z",
"dateUpdated": "2025-08-18T17:37:06.341Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54421 (GCVE-0-2025-54421)
Vulnerability from cvelistv5 – Published: 2025-08-18 16:01 – Updated: 2025-08-18 17:36
VLAI?
Title
NamelessMC allows Stored Cross Site Scripting (XSS) in SEO component
Summary
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Cross-site scripting (XSS) vulnerability in NamelessMC before 2.2.4 allows remote authenticated attackers to inject arbitrary web script or HTML via the default_keywords crafted parameter. This vulnerability is fixed in 2.2.4.
Severity ?
7.2 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| NamelessMC | Nameless |
Affected:
< 2.2.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54421",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-18T17:35:56.908320Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-18T17:36:09.856Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Nameless",
"vendor": "NamelessMC",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NamelessMC is a free, easy to use \u0026 powerful website software for Minecraft servers. Cross-site scripting (XSS) vulnerability in NamelessMC before 2.2.4 allows remote authenticated attackers to inject arbitrary web script or HTML via the default_keywords crafted parameter. This vulnerability is fixed in 2.2.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-18T16:01:30.994Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-f5rm-w4mx-q7rx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-f5rm-w4mx-q7rx"
},
{
"name": "https://github.com/NamelessMC/Nameless/commit/56d35cff9ee944c061791ef478cabd2bed0223c4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NamelessMC/Nameless/commit/56d35cff9ee944c061791ef478cabd2bed0223c4"
}
],
"source": {
"advisory": "GHSA-f5rm-w4mx-q7rx",
"discovery": "UNKNOWN"
},
"title": "NamelessMC allows Stored Cross Site Scripting (XSS) in SEO component"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54421",
"datePublished": "2025-08-18T16:01:30.994Z",
"dateReserved": "2025-07-21T23:18:10.281Z",
"dateUpdated": "2025-08-18T17:36:09.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54118 (GCVE-0-2025-54118)
Vulnerability from cvelistv5 – Published: 2025-08-18 15:59 – Updated: 2025-08-18 17:34
VLAI?
Title
NamelessMC allows sensitive information disclosure in member list component
Summary
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Sensitive information disclosure in NamelessMC before 2.2.4 allows unauthenticated remote attacker to gain sensitive information such as absolute path of the source code via list parameter. This vulnerability is fixed in 2.2.4.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| NamelessMC | Nameless |
Affected:
< 2.2.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54118",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-18T17:34:42.179767Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-18T17:34:51.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Nameless",
"vendor": "NamelessMC",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NamelessMC is a free, easy to use \u0026 powerful website software for Minecraft servers. Sensitive information disclosure in NamelessMC before 2.2.4 allows unauthenticated remote attacker to gain sensitive information such as absolute path of the source code via list parameter. This vulnerability is fixed in 2.2.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-18T15:59:15.837Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-cj37-8jqc-hv2w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-cj37-8jqc-hv2w"
},
{
"name": "https://github.com/NamelessMC/Nameless/commit/3b94eb594dcbb1abc5524e41a0631df3ac95de8f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NamelessMC/Nameless/commit/3b94eb594dcbb1abc5524e41a0631df3ac95de8f"
}
],
"source": {
"advisory": "GHSA-cj37-8jqc-hv2w",
"discovery": "UNKNOWN"
},
"title": "NamelessMC allows sensitive information disclosure in member list component"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54118",
"datePublished": "2025-08-18T15:59:15.837Z",
"dateReserved": "2025-07-16T23:53:40.508Z",
"dateUpdated": "2025-08-18T17:34:51.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32389 (GCVE-0-2025-32389)
Vulnerability from cvelistv5 – Published: 2025-04-18 15:56 – Updated: 2025-04-18 16:24
VLAI?
Title
NamelessMC Vulnerable to SQL Injections in /user/messaging and /panel/users/reports Pages
Summary
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Prior to version 2.1.4, NamelessMC is vulnerable to SQL injection by providing an unexpected square bracket GET parameter syntax. Square bracket GET parameter syntax refers to the structure `?param[0]=a¶m[1]=b¶m[2]=c` utilized by PHP, which is parsed by PHP as `$_GET['param']` being of type array. This issue has been patched in version 2.1.4.
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| NamelessMC | Nameless |
Affected:
< 2.1.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32389",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-18T16:11:10.305326Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T16:24:24.300Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Nameless",
"vendor": "NamelessMC",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NamelessMC is a free, easy to use \u0026 powerful website software for Minecraft servers. Prior to version 2.1.4, NamelessMC is vulnerable to SQL injection by providing an unexpected square bracket GET parameter syntax. Square bracket GET parameter syntax refers to the structure `?param[0]=a\u0026param[1]=b\u0026param[2]=c` utilized by PHP, which is parsed by PHP as `$_GET[\u0027param\u0027]` being of type array. This issue has been patched in version 2.1.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T15:56:39.962Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-5984-mhcp-cq2x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-5984-mhcp-cq2x"
},
{
"name": "https://github.com/NamelessMC/Nameless/commit/02c81c7c45b98fad1ebe3bc085efae18aec4566f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NamelessMC/Nameless/commit/02c81c7c45b98fad1ebe3bc085efae18aec4566f"
},
{
"name": "https://github.com/NamelessMC/Nameless/releases/tag/v2.1.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NamelessMC/Nameless/releases/tag/v2.1.4"
}
],
"source": {
"advisory": "GHSA-5984-mhcp-cq2x",
"discovery": "UNKNOWN"
},
"title": "NamelessMC Vulnerable to SQL Injections in /user/messaging and /panel/users/reports Pages"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32389",
"datePublished": "2025-04-18T15:56:39.962Z",
"dateReserved": "2025-04-06T19:46:02.463Z",
"dateUpdated": "2025-04-18T16:24:24.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31120 (GCVE-0-2025-31120)
Vulnerability from cvelistv5 – Published: 2025-04-18 15:52 – Updated: 2025-04-18 20:01
VLAI?
Title
NamelessMC Vulnerable to Cookie-Based View Count Manipulation
Summary
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, an insecure view count mechanism in the forum page allows an unauthenticated attacker to artificially increase the view count. The application relies on a client-side cookie (nl-topic-[tid]) (or session variable for guests) to determine if a view should be counted. When a client does not provide the cookie, every page request increments the counter, leading to incorrect view metrics. This issue has been patched in version 2.2.0.
Severity ?
5.3 (Medium)
CWE
- CWE-565 - Reliance on Cookies without Validation and Integrity Checking
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| NamelessMC | Nameless |
Affected:
< 2.2.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31120",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-18T20:00:43.144400Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T20:01:03.192Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-8jv7-77jw-h646"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Nameless",
"vendor": "NamelessMC",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NamelessMC is a free, easy to use \u0026 powerful website software for Minecraft servers. In version 2.1.4 and prior, an insecure view count mechanism in the forum page allows an unauthenticated attacker to artificially increase the view count. The application relies on a client-side cookie (nl-topic-[tid]) (or session variable for guests) to determine if a view should be counted. When a client does not provide the cookie, every page request increments the counter, leading to incorrect view metrics. This issue has been patched in version 2.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-565",
"description": "CWE-565: Reliance on Cookies without Validation and Integrity Checking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T15:52:57.791Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-8jv7-77jw-h646",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-8jv7-77jw-h646"
},
{
"name": "https://github.com/NamelessMC/Nameless/commit/9b112c0beab346a38b6f5a51e7773b38c6fc52e7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NamelessMC/Nameless/commit/9b112c0beab346a38b6f5a51e7773b38c6fc52e7"
},
{
"name": "https://github.com/NamelessMC/Nameless/releases/tag/v2.2.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NamelessMC/Nameless/releases/tag/v2.2.0"
}
],
"source": {
"advisory": "GHSA-8jv7-77jw-h646",
"discovery": "UNKNOWN"
},
"title": "NamelessMC Vulnerable to Cookie-Based View Count Manipulation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31120",
"datePublished": "2025-04-18T15:52:57.791Z",
"dateReserved": "2025-03-26T15:04:52.625Z",
"dateUpdated": "2025-04-18T20:01:03.192Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31118 (GCVE-0-2025-31118)
Vulnerability from cvelistv5 – Published: 2025-04-18 15:52 – Updated: 2025-04-18 16:02
VLAI?
Title
NamelessMC Has Forum Reply Submission Time Limit Bypass
Summary
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, forum quick reply feature (view_topic.php) does not implement any spam prevention mechanism. This allows authenticated users to continuously post replies without any time restriction, resulting in an uncontrolled surge of posts that can disrupt normal operations. This issue has been patched in version 2.2.0.
Severity ?
7.1 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| NamelessMC | Nameless |
Affected:
< 2.2.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31118",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-18T16:02:05.598696Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T16:02:09.007Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-jhvp-mwj4-922m"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Nameless",
"vendor": "NamelessMC",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NamelessMC is a free, easy to use \u0026 powerful website software for Minecraft servers. In version 2.1.4 and prior, forum quick reply feature (view_topic.php) does not implement any spam prevention mechanism. This allows authenticated users to continuously post replies without any time restriction, resulting in an uncontrolled surge of posts that can disrupt normal operations. This issue has been patched in version 2.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T15:52:36.923Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-jhvp-mwj4-922m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-jhvp-mwj4-922m"
},
{
"name": "https://github.com/NamelessMC/Nameless/commit/51e9d93aaa28d40f060b807533d22b768abea207",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NamelessMC/Nameless/commit/51e9d93aaa28d40f060b807533d22b768abea207"
},
{
"name": "https://github.com/NamelessMC/Nameless/releases/tag/v2.2.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NamelessMC/Nameless/releases/tag/v2.2.0"
}
],
"source": {
"advisory": "GHSA-jhvp-mwj4-922m",
"discovery": "UNKNOWN"
},
"title": "NamelessMC Has Forum Reply Submission Time Limit Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31118",
"datePublished": "2025-04-18T15:52:36.923Z",
"dateReserved": "2025-03-26T15:04:52.624Z",
"dateUpdated": "2025-04-18T16:02:09.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30357 (GCVE-0-2025-30357)
Vulnerability from cvelistv5 – Published: 2025-04-18 15:51 – Updated: 2025-04-18 16:04
VLAI?
Title
NamelessMC Forum Topic Deletion Triggered by Unrelated User Deletion
Summary
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, if a malicious user is leaving spam comments on many topics then an administrator, unable to manually remove each spam comment, may delete the malicious account. Once an administrator deletes the malicious user's account, all their posts (comments) along with the associated topics (by unrelated users) will be marked as deleted. This issue has been patched in version 2.2.0.
Severity ?
7.3 (High)
CWE
- CWE-706 - Use of Incorrectly-Resolved Name or Reference
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| NamelessMC | Nameless |
Affected:
< 2.2.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30357",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-18T16:04:06.264552Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T16:04:12.364Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Nameless",
"vendor": "NamelessMC",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NamelessMC is a free, easy to use \u0026 powerful website software for Minecraft servers. In version 2.1.4 and prior, if a malicious user is leaving spam comments on many topics then an administrator, unable to manually remove each spam comment, may delete the malicious account. Once an administrator deletes the malicious user\u0027s account, all their posts (comments) along with the associated topics (by unrelated users) will be marked as deleted. This issue has been patched in version 2.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-706",
"description": "CWE-706: Use of Incorrectly-Resolved Name or Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T15:51:21.670Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-22mc-7c9m-gv8h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-22mc-7c9m-gv8h"
},
{
"name": "https://github.com/NamelessMC/Nameless/commit/7040924e27f99aa486c619a5b4ca809051a1ca7f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NamelessMC/Nameless/commit/7040924e27f99aa486c619a5b4ca809051a1ca7f"
},
{
"name": "https://github.com/NamelessMC/Nameless/releases/tag/v2.2.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NamelessMC/Nameless/releases/tag/v2.2.0"
}
],
"source": {
"advisory": "GHSA-22mc-7c9m-gv8h",
"discovery": "UNKNOWN"
},
"title": "NamelessMC Forum Topic Deletion Triggered by Unrelated User Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30357",
"datePublished": "2025-04-18T15:51:21.670Z",
"dateReserved": "2025-03-21T14:12:06.270Z",
"dateUpdated": "2025-04-18T16:04:12.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30158 (GCVE-0-2025-30158)
Vulnerability from cvelistv5 – Published: 2025-04-18 15:50 – Updated: 2025-04-18 16:04
VLAI?
Title
NamelessMC Forum iframe width/height abuse causing UI-based Denial of Service
Summary
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, the forum allows users to post iframe elements inside forum topics/comments/feed with no restriction on the iframe's width and height attributes. This allows an authenticated attacker to perform a UI-based denial of service (DoS) by injecting oversized iframes that block the forum UI and disrupt normal user interactions. This issue has been patched in version 2.2.0.
Severity ?
7.1 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| NamelessMC | Nameless |
Affected:
< 2.2.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30158",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-18T16:04:50.411500Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T16:04:53.740Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-2prx-rgr7-hq5f"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Nameless",
"vendor": "NamelessMC",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NamelessMC is a free, easy to use \u0026 powerful website software for Minecraft servers. In version 2.1.4 and prior, the forum allows users to post iframe elements inside forum topics/comments/feed with no restriction on the iframe\u0027s width and height attributes. This allows an authenticated attacker to perform a UI-based denial of service (DoS) by injecting oversized iframes that block the forum UI and disrupt normal user interactions. This issue has been patched in version 2.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T15:50:49.309Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-2prx-rgr7-hq5f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-2prx-rgr7-hq5f"
},
{
"name": "https://github.com/NamelessMC/Nameless/commit/caa42a975338a13fbc1658e8c440108f16135643",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NamelessMC/Nameless/commit/caa42a975338a13fbc1658e8c440108f16135643"
},
{
"name": "https://github.com/NamelessMC/Nameless/releases/tag/v2.2.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NamelessMC/Nameless/releases/tag/v2.2.0"
}
],
"source": {
"advisory": "GHSA-2prx-rgr7-hq5f",
"discovery": "UNKNOWN"
},
"title": "NamelessMC Forum iframe width/height abuse causing UI-based Denial of Service"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30158",
"datePublished": "2025-04-18T15:50:49.309Z",
"dateReserved": "2025-03-17T12:41:42.566Z",
"dateUpdated": "2025-04-18T16:04:53.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-29784 (GCVE-0-2025-29784)
Vulnerability from cvelistv5 – Published: 2025-04-18 15:50 – Updated: 2025-04-18 16:05
VLAI?
Title
NamelessMC Has Lack of Length Validation for s Parameter in GET Requests
Summary
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, the s parameter in GET requests for forum search functionality lacks length validation, allowing attackers to submit excessively long search queries. This oversight can lead to performance degradation and potential denial-of-service (DoS) attacks. This issue has been patched in version 2.2.0.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| NamelessMC | Nameless |
Affected:
< 2.2.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-29784",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-18T16:05:26.830187Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T16:05:30.640Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-4hrq-rf96-c2jm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Nameless",
"vendor": "NamelessMC",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NamelessMC is a free, easy to use \u0026 powerful website software for Minecraft servers. In version 2.1.4 and prior, the s parameter in GET requests for forum search functionality lacks length validation, allowing attackers to submit excessively long search queries. This oversight can lead to performance degradation and potential denial-of-service (DoS) attacks. This issue has been patched in version 2.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-130",
"description": "CWE-130: Improper Handling of Length Parameter Inconsistency",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1284",
"description": "CWE-1284: Improper Validation of Specified Quantity in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T15:50:17.656Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-4hrq-rf96-c2jm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-4hrq-rf96-c2jm"
},
{
"name": "https://github.com/NamelessMC/Nameless/commit/f5341e56930a98978171e0a871d60f19ab30ebdd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NamelessMC/Nameless/commit/f5341e56930a98978171e0a871d60f19ab30ebdd"
},
{
"name": "https://github.com/NamelessMC/Nameless/releases/tag/v2.2.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NamelessMC/Nameless/releases/tag/v2.2.0"
}
],
"source": {
"advisory": "GHSA-4hrq-rf96-c2jm",
"discovery": "UNKNOWN"
},
"title": "NamelessMC Has Lack of Length Validation for s Parameter in GET Requests"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-29784",
"datePublished": "2025-04-18T15:50:17.656Z",
"dateReserved": "2025-03-11T14:23:00.475Z",
"dateUpdated": "2025-04-18T16:05:30.640Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22142 (GCVE-0-2025-22142)
Vulnerability from cvelistv5 – Published: 2025-01-13 19:56 – Updated: 2025-01-13 20:07
VLAI?
Title
Cross-site Scripting in NamelessMC
Summary
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In affected versions an admin can add the ability to have users fill out an additional field and users can inject javascript code into it that would be activated once a staffer visits the user's profile on staff panel. As a result an attacker can execute javascript code on the staffer's computer. This issue has been addressed in version 2.1.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| NamelessMC | Nameless |
Affected:
<= 2.1.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22142",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-13T20:06:38.399802Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T20:07:05.344Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-9q22-w64p-g8qm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Nameless",
"vendor": "NamelessMC",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NamelessMC is a free, easy to use \u0026 powerful website software for Minecraft servers. In affected versions an admin can add the ability to have users fill out an additional field and users can inject javascript code into it that would be activated once a staffer visits the user\u0027s profile on staff panel. As a result an attacker can execute javascript code on the staffer\u0027s computer. This issue has been addressed in version 2.1.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T19:56:59.869Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-9q22-w64p-g8qm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-9q22-w64p-g8qm"
},
{
"name": "https://github.com/NamelessMC/Nameless/releases/tag/v2.1.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NamelessMC/Nameless/releases/tag/v2.1.3"
}
],
"source": {
"advisory": "GHSA-9q22-w64p-g8qm",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting in NamelessMC"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-22142",
"datePublished": "2025-01-13T19:56:59.869Z",
"dateReserved": "2024-12-30T03:00:33.653Z",
"dateUpdated": "2025-01-13T20:07:05.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22144 (GCVE-0-2025-22144)
Vulnerability from cvelistv5 – Published: 2025-01-13 19:49 – Updated: 2025-01-13 20:21
VLAI?
Title
Account Takeover in NamelessMC
Summary
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. A user with admincp.core.emails or admincp.users.edit permissions can validate users and an attacker can reset their password. When the account is successfully approved by email the reset code is NULL, but when the account is manually validated by a user with admincp.core.emails or admincp.users.edit permissions then the reset_code will no longer be NULL but empty. An attacker can request http://localhost/nameless/index.php?route=/forgot_password/&c= and reset the password. As a result an attacker may compromise another users password and take over their account. This issue has been addressed in release version 2.1.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
CWE
- CWE-610 - Externally Controlled Reference to a Resource in Another Sphere
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| NamelessMC | Nameless |
Affected:
<= 2.1.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22144",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-13T20:20:59.230880Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T20:21:06.877Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-p883-7496-x35p"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Nameless",
"vendor": "NamelessMC",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NamelessMC is a free, easy to use \u0026 powerful website software for Minecraft servers. A user with admincp.core.emails or admincp.users.edit permissions can validate users and an attacker can reset their password. When the account is successfully approved by email the reset code is NULL, but when the account is manually validated by a user with admincp.core.emails or admincp.users.edit permissions then the reset_code will no longer be NULL but empty. An attacker can request http://localhost/nameless/index.php?route=/forgot_password/\u0026c= and reset the password. As a result an attacker may compromise another users password and take over their account. This issue has been addressed in release version 2.1.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-610",
"description": "CWE-610: Externally Controlled Reference to a Resource in Another Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T19:49:03.887Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-p883-7496-x35p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-p883-7496-x35p"
},
{
"name": "https://github.com/NamelessMC/Nameless/releases/tag/v2.1.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NamelessMC/Nameless/releases/tag/v2.1.3"
}
],
"source": {
"advisory": "GHSA-p883-7496-x35p",
"discovery": "UNKNOWN"
},
"title": "Account Takeover in NamelessMC"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-22144",
"datePublished": "2025-01-13T19:49:03.887Z",
"dateReserved": "2024-12-30T03:00:33.653Z",
"dateUpdated": "2025-01-13T20:21:06.877Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2820 (GCVE-0-2022-2820)
Vulnerability from cvelistv5 – Published: 2022-08-15 10:30 – Updated: 2024-08-03 00:52
VLAI?
Title
Session Fixation in namelessmc/nameless
Summary
Session Fixation in GitHub repository namelessmc/nameless prior to v2.0.2.
Severity ?
CWE
- CWE-384 - Session Fixation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| namelessmc | namelessmc/nameless |
Affected:
unspecified , < v2.0.2
(custom)
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:namelessmc:nameless:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "nameless",
"vendor": "namelessmc",
"versions": [
{
"lessThan": "2.0.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-2820",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-23T20:26:40.987921Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T20:27:57.166Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:52:58.982Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/df06b7d7-6077-43a5-bd81-3cc66f0d4d19"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/namelessmc/nameless/commit/469bebc17855720e43f0c8209c88a57d2b55f6de"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "namelessmc/nameless",
"vendor": "namelessmc",
"versions": [
{
"lessThan": "v2.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSession Fixation in GitHub repository namelessmc/nameless prior to v2.0.2.\u003c/p\u003e"
}
],
"value": "Session Fixation in GitHub repository namelessmc/nameless prior to v2.0.2.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384 Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-10T07:49:16.320Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/df06b7d7-6077-43a5-bd81-3cc66f0d4d19"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/namelessmc/nameless/commit/469bebc17855720e43f0c8209c88a57d2b55f6de"
}
],
"source": {
"advisory": "df06b7d7-6077-43a5-bd81-3cc66f0d4d19",
"discovery": "EXTERNAL"
},
"title": "Session Fixation in namelessmc/nameless",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-2820",
"STATE": "PUBLIC",
"TITLE": "Improper Access Control in namelessmc/nameless"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "namelessmc/nameless",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "v2.0.2"
}
]
}
}
]
},
"vendor_name": "namelessmc"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Access Control in GitHub repository namelessmc/nameless prior to v2.0.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/df06b7d7-6077-43a5-bd81-3cc66f0d4d19",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/df06b7d7-6077-43a5-bd81-3cc66f0d4d19"
},
{
"name": "https://github.com/namelessmc/nameless/commit/469bebc17855720e43f0c8209c88a57d2b55f6de",
"refsource": "MISC",
"url": "https://github.com/namelessmc/nameless/commit/469bebc17855720e43f0c8209c88a57d2b55f6de"
}
]
},
"source": {
"advisory": "df06b7d7-6077-43a5-bd81-3cc66f0d4d19",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-2820",
"datePublished": "2022-08-15T10:30:53",
"dateReserved": "2022-08-15T00:00:00",
"dateUpdated": "2024-08-03T00:52:58.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2821 (GCVE-0-2022-2821)
Vulnerability from cvelistv5 – Published: 2022-08-15 10:30 – Updated: 2024-08-03 00:52
VLAI?
Title
Missing Critical Step in Authentication in namelessmc/nameless
Summary
Missing Critical Step in Authentication in GitHub repository namelessmc/nameless prior to v2.0.2.
Severity ?
9.8 (Critical)
CWE
- CWE-304 - Missing Critical Step in Authentication
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| namelessmc | namelessmc/nameless |
Affected:
unspecified , < v2.0.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:52:58.623Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/c216db15-fe2f-42a7-852a-6c47498cf069"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/namelessmc/nameless/commit/98fe4b7fce5509e49e71f1357118db887b8b88e0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "namelessmc/nameless",
"vendor": "namelessmc",
"versions": [
{
"lessThan": "v2.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Missing Critical Step in Authentication in GitHub repository namelessmc/nameless prior to v2.0.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-304",
"description": "CWE-304 Missing Critical Step in Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-15T10:30:35",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/c216db15-fe2f-42a7-852a-6c47498cf069"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/namelessmc/nameless/commit/98fe4b7fce5509e49e71f1357118db887b8b88e0"
}
],
"source": {
"advisory": "c216db15-fe2f-42a7-852a-6c47498cf069",
"discovery": "EXTERNAL"
},
"title": "Missing Critical Step in Authentication in namelessmc/nameless",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-2821",
"STATE": "PUBLIC",
"TITLE": "Missing Critical Step in Authentication in namelessmc/nameless"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "namelessmc/nameless",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "v2.0.2"
}
]
}
}
]
},
"vendor_name": "namelessmc"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing Critical Step in Authentication in GitHub repository namelessmc/nameless prior to v2.0.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-304 Missing Critical Step in Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/c216db15-fe2f-42a7-852a-6c47498cf069",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/c216db15-fe2f-42a7-852a-6c47498cf069"
},
{
"name": "https://github.com/namelessmc/nameless/commit/98fe4b7fce5509e49e71f1357118db887b8b88e0",
"refsource": "MISC",
"url": "https://github.com/namelessmc/nameless/commit/98fe4b7fce5509e49e71f1357118db887b8b88e0"
}
]
},
"source": {
"advisory": "c216db15-fe2f-42a7-852a-6c47498cf069",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-2821",
"datePublished": "2022-08-15T10:30:35",
"dateReserved": "2022-08-15T00:00:00",
"dateUpdated": "2024-08-03T00:52:58.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}