Plattform
php
Komponente
nameless
Behoben in
2.2.5
A critical Cross-Site Scripting (XSS) vulnerability (CVE-2025-54117) has been identified in NamelessMC, a popular website software for Minecraft servers. This flaw allows authenticated attackers to inject malicious web scripts or HTML into the dashboard, potentially leading to account takeover or defacement. The vulnerability affects versions of NamelessMC prior to 2.2.3, with a fix available in version 2.2.4.
Successful exploitation of CVE-2025-54117 allows an attacker with authenticated access to the NamelessMC dashboard to inject arbitrary JavaScript code. This code can then be executed in the context of other users accessing the dashboard, potentially leading to session hijacking, credential theft, or the injection of malicious content onto the Minecraft server website. The impact is particularly severe as the dashboard often contains sensitive information related to server configuration and user accounts. Attackers could also leverage this vulnerability to redirect users to phishing sites or install malware.
CVE-2025-54117 was publicly disclosed on 2025-08-18. No public proof-of-concept exploits have been identified at the time of writing, but the ease of exploitation inherent in XSS vulnerabilities suggests a potential for rapid exploitation. The vulnerability's criticality (CVSS 9.1) indicates a high probability of exploitation if left unpatched. It is not currently listed on CISA KEV.
Minecraft server administrators using NamelessMC versions prior to 2.2.4 are at direct risk. Shared hosting environments where multiple Minecraft servers share the same NamelessMC installation are particularly vulnerable, as a compromise of one server could potentially lead to the compromise of others. Users who have not implemented robust password policies or multi-factor authentication are also at increased risk.
• wordpress / composer / npm:
grep -r "<script>" /var/www/namelessmc/cache/*
grep -r "<img src="javascript:" /var/www/namelessmc/cache/*• generic web:
curl -I https://your-namelessmc-site.com/dashboard/ | grep -i 'content-security-policy'disclosure
Exploit-Status
EPSS
0.04% (12% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-54117 is to immediately upgrade NamelessMC to version 2.2.4 or later. If upgrading is not immediately feasible, consider implementing strict input validation and output encoding within the dashboard text editor to sanitize user-supplied content. While not a complete solution, this can reduce the attack surface. Review dashboard access controls to limit the number of users with administrative privileges. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into the dashboard text editor; it should be properly sanitized and not execute.
Aktualisieren Sie NamelessMC auf Version 2.2.4 oder höher. Diese Version enthält eine Korrektur für die XSS-Schwachstelle. Das Update kann über das Admin-Panel durchgeführt oder die neueste Version der Software heruntergeladen werden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-54117 is a critical Cross-Site Scripting (XSS) vulnerability affecting NamelessMC versions before 2.2.4. It allows attackers to inject malicious scripts into the dashboard.
You are affected if you are using NamelessMC version 2.2.4 or earlier. Check your version and upgrade immediately.
Upgrade NamelessMC to version 2.2.4 or later. If immediate upgrade is not possible, implement input validation and output encoding in the dashboard text editor.
While no public exploits are currently known, the high severity and ease of exploitation suggest a potential for active exploitation.
Refer to the official NamelessMC website and security announcements for the latest information and advisory regarding CVE-2025-54117.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.