NamelessMC staat Stored Cross-Site Scripting (XSS) toe in dashboard teksteditor
Platform
php
Component
nameless
Opgelost in
2.2.5
A critical Cross-Site Scripting (XSS) vulnerability (CVE-2025-54117) has been identified in NamelessMC, a popular website software for Minecraft servers. This flaw allows authenticated attackers to inject malicious web scripts or HTML into the dashboard, potentially leading to account takeover or defacement. The vulnerability affects versions of NamelessMC prior to 2.2.3, with a fix available in version 2.2.4.
Impact en Aanvalsscenarioswordt vertaald…
Successful exploitation of CVE-2025-54117 allows an attacker with authenticated access to the NamelessMC dashboard to inject arbitrary JavaScript code. This code can then be executed in the context of other users accessing the dashboard, potentially leading to session hijacking, credential theft, or the injection of malicious content onto the Minecraft server website. The impact is particularly severe as the dashboard often contains sensitive information related to server configuration and user accounts. Attackers could also leverage this vulnerability to redirect users to phishing sites or install malware.
Uitbuitingscontextwordt vertaald…
CVE-2025-54117 was publicly disclosed on 2025-08-18. No public proof-of-concept exploits have been identified at the time of writing, but the ease of exploitation inherent in XSS vulnerabilities suggests a potential for rapid exploitation. The vulnerability's criticality (CVSS 9.1) indicates a high probability of exploitation if left unpatched. It is not currently listed on CISA KEV.
Wie Loopt Risicowordt vertaald…
Minecraft server administrators using NamelessMC versions prior to 2.2.4 are at direct risk. Shared hosting environments where multiple Minecraft servers share the same NamelessMC installation are particularly vulnerable, as a compromise of one server could potentially lead to the compromise of others. Users who have not implemented robust password policies or multi-factor authentication are also at increased risk.
Detectiestappenwordt vertaald…
• wordpress / composer / npm:
grep -r "<script>" /var/www/namelessmc/cache/*
grep -r "<img src="javascript:" /var/www/namelessmc/cache/*• generic web:
curl -I https://your-namelessmc-site.com/dashboard/ | grep -i 'content-security-policy'Aanvalstijdlijn
- Disclosure
disclosure
Dreigingsinformatie
Exploit Status
EPSS
0.04% (12% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Laag — elk geldig gebruikersaccount is voldoende.
- User Interaction
- Vereist — slachtoffer moet een bestand openen, op een link klikken of een pagina bezoeken.
- Scope
- Gewijzigd — aanval kan voorbij het kwetsbare component uitbreiden naar andere systemen.
- Confidentiality
- Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
- Integrity
- Hoog — aanvaller kan alle gegevens schrijven, aanpassen of verwijderen.
- Availability
- Hoog — volledige crash of uitputting van resources. Totale denial of service.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2025-54117 is to immediately upgrade NamelessMC to version 2.2.4 or later. If upgrading is not immediately feasible, consider implementing strict input validation and output encoding within the dashboard text editor to sanitize user-supplied content. While not a complete solution, this can reduce the attack surface. Review dashboard access controls to limit the number of users with administrative privileges. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into the dashboard text editor; it should be properly sanitized and not execute.
Hoe te verhelpen
Werk NamelessMC bij naar versie 2.2.4 of hoger. Deze versie bevat een correctie voor de XSS kwetsbaarheid. De update kan worden uitgevoerd via het beheerpaneel of door de nieuwste versie van de software te downloaden.
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2025-54117 — XSS in NamelessMC?
CVE-2025-54117 is a critical Cross-Site Scripting (XSS) vulnerability affecting NamelessMC versions before 2.2.4. It allows attackers to inject malicious scripts into the dashboard.
Am I affected by CVE-2025-54117 in NamelessMC?
You are affected if you are using NamelessMC version 2.2.4 or earlier. Check your version and upgrade immediately.
How do I fix CVE-2025-54117 in NamelessMC?
Upgrade NamelessMC to version 2.2.4 or later. If immediate upgrade is not possible, implement input validation and output encoding in the dashboard text editor.
Is CVE-2025-54117 being actively exploited?
While no public exploits are currently known, the high severity and ease of exploitation suggest a potential for active exploitation.
Where can I find the official NamelessMC advisory for CVE-2025-54117?
Refer to the official NamelessMC website and security announcements for the latest information and advisory regarding CVE-2025-54117.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.