NamelessMC permet une attaque de Cross-Site Scripting (XSS) stockée dans l'éditeur de texte du tableau de bord
Plateforme
php
Composant
nameless
Corrigé dans
2.2.5
A critical Cross-Site Scripting (XSS) vulnerability (CVE-2025-54117) has been identified in NamelessMC, a popular website software for Minecraft servers. This flaw allows authenticated attackers to inject malicious web scripts or HTML into the dashboard, potentially leading to account takeover or defacement. The vulnerability affects versions of NamelessMC prior to 2.2.3, with a fix available in version 2.2.4.
Impact et Scénarios d'Attaquetraduction en cours…
Successful exploitation of CVE-2025-54117 allows an attacker with authenticated access to the NamelessMC dashboard to inject arbitrary JavaScript code. This code can then be executed in the context of other users accessing the dashboard, potentially leading to session hijacking, credential theft, or the injection of malicious content onto the Minecraft server website. The impact is particularly severe as the dashboard often contains sensitive information related to server configuration and user accounts. Attackers could also leverage this vulnerability to redirect users to phishing sites or install malware.
Contexte d'Exploitationtraduction en cours…
CVE-2025-54117 was publicly disclosed on 2025-08-18. No public proof-of-concept exploits have been identified at the time of writing, but the ease of exploitation inherent in XSS vulnerabilities suggests a potential for rapid exploitation. The vulnerability's criticality (CVSS 9.1) indicates a high probability of exploitation if left unpatched. It is not currently listed on CISA KEV.
Qui Est à Risquetraduction en cours…
Minecraft server administrators using NamelessMC versions prior to 2.2.4 are at direct risk. Shared hosting environments where multiple Minecraft servers share the same NamelessMC installation are particularly vulnerable, as a compromise of one server could potentially lead to the compromise of others. Users who have not implemented robust password policies or multi-factor authentication are also at increased risk.
Étapes de Détectiontraduction en cours…
• wordpress / composer / npm:
grep -r "<script>" /var/www/namelessmc/cache/*
grep -r "<img src="javascript:" /var/www/namelessmc/cache/*• generic web:
curl -I https://your-namelessmc-site.com/dashboard/ | grep -i 'content-security-policy'Chronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.04% (percentile 12%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Faible — tout compte utilisateur valide est suffisant.
- User Interaction
- Requise — la victime doit ouvrir un fichier, cliquer sur un lien ou visiter une page.
- Scope
- Modifié — l'attaque peut pivoter au-delà du composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Élevé — panne complète ou épuisement des ressources. Déni de service total.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2025-54117 is to immediately upgrade NamelessMC to version 2.2.4 or later. If upgrading is not immediately feasible, consider implementing strict input validation and output encoding within the dashboard text editor to sanitize user-supplied content. While not a complete solution, this can reduce the attack surface. Review dashboard access controls to limit the number of users with administrative privileges. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into the dashboard text editor; it should be properly sanitized and not execute.
Comment corriger
Mettez à jour NamelessMC à la version 2.2.4 ou supérieure. Cette version contient une correction pour la vulnérabilité XSS. La mise à jour peut être effectuée via le panneau d'administration ou en téléchargeant la dernière version du logiciel.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2025-54117 — XSS in NamelessMC?
CVE-2025-54117 is a critical Cross-Site Scripting (XSS) vulnerability affecting NamelessMC versions before 2.2.4. It allows attackers to inject malicious scripts into the dashboard.
Am I affected by CVE-2025-54117 in NamelessMC?
You are affected if you are using NamelessMC version 2.2.4 or earlier. Check your version and upgrade immediately.
How do I fix CVE-2025-54117 in NamelessMC?
Upgrade NamelessMC to version 2.2.4 or later. If immediate upgrade is not possible, implement input validation and output encoding in the dashboard text editor.
Is CVE-2025-54117 being actively exploited?
While no public exploits are currently known, the high severity and ease of exploitation suggest a potential for active exploitation.
Where can I find the official NamelessMC advisory for CVE-2025-54117?
Refer to the official NamelessMC website and security announcements for the latest information and advisory regarding CVE-2025-54117.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.