CVSS: 10.0EPSS: 0%CPEs: 7EXPL: 0CVE-2023-33245
https://notcve.org/view.php?id=CVE-2023-33245
30 May 2023 — Minecraft through 1.19 and 1.20 pre-releases before 7 (Java) allow arbitrary file overwrite, and possibly code execution, via crafted world data that contains a symlink. • https://help.minecraft.net/hc/en-us/articles/16165590199181 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-39221 – Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') McWebserver Minecraft Mod
https://notcve.org/view.php?id=CVE-2022-39221
20 Sep 2022 — McWebserver mod runs a simple HTTP server alongside the Minecraft server in seperate threads. Path traversal in McWebserver Minecraft Mod for Fabric and Quilt up to and including 0.1.2.1 and McWebserver Minecraft Mod for Forge up to and including 0.1.1 allows all files, accessible by the program, to be read by anyone via HTTP request. Version 0.2.0 with patches are released to both platforms (Fabric and Quilt, Forge). As a workaround, the McWebserver mod can be disabled by removing the file from the `mods` ... • https://github.com/J-onasJones/McWebserver/pull/1 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2022-23884
https://notcve.org/view.php?id=CVE-2022-23884
28 Mar 2022 — Mojang Bedrock Dedicated Server 1.18.2 is affected by an integer overflow leading to a bound check bypass caused by PurchaseReceiptPacket::_read (packet deserializer). Mojang Bedrock Dedicated Server versión 1.18.2, está afectado por un desbordamiento de enteros conllevando a una omisión de comprobación de límites causado por la función PurchaseReceiptPacket::_read (deserializador de paquetes) • https://github.com/nanaao/CVE-2022-23884 • CWE-190: Integer Overflow or Wraparound •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35054
https://notcve.org/view.php?id=CVE-2021-35054
20 Jul 2021 — Minecraft before 1.17.1, when online-mode=false is configured, allows path traversal for deletion of arbitrary JSON files. Minecraft versiones anteriores a 1.17.1, cuando es configurado el modo online=false, permite un salto de ruta para la eliminación archivos JSON arbitrarios • http://jvn.jp/en/jp/JVN53278122/index.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 12%CPEs: 5EXPL: 0CVE-2021-33790
https://notcve.org/view.php?id=CVE-2021-33790
31 May 2021 — The RebornCore library before 4.7.3 allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of reborncore.common.network.ExtendedPacketBuffer. An attacker can instantiate any class on the classpath with any data. A class usable for exploitation might or might not be present, depending on what Minecraft modifications are installed. La biblioteca RebornCore versiones anteriores a 4.7.3, permite una ejecución de código remota porque deserializa datos no confi... • https://github.com/TechReborn/RebornCore/security/advisories/GHSA-r7pg-4xrf-7mrm • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 2%CPEs: 2EXPL: 1CVE-2018-5749
https://notcve.org/view.php?id=CVE-2018-5749
23 Jan 2018 — install.php in Minecraft Servers List Lite before commit c1cd164 and Premium Minecraft Servers List before 2.0.4 does not sanitize input before saving database connection information in connect.php, which might allow remote attackers to execute arbitrary PHP code via the (1) database_server, (2) database_user, (3) database_password, or (4) database_name parameter. install.php en Minecraft Servers List Lite antes del commit con ID c1cd164 y Premium Minecraft Servers List en versiones anteriores a la 2.0.4 no... • https://www.rastating.com/minecraft-servers-list-unauthenticated-shell-upload • CWE-434: Unrestricted Upload of File with Dangerous Type •