CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32389 – NamelessMC Vulnerable to SQL Injections in /user/messaging and /panel/users/reports Pages
https://notcve.org/view.php?id=CVE-2025-32389
18 Apr 2025 — NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Prior to version 2.1.4, NamelessMC is vulnerable to SQL injection by providing an unexpected square bracket GET parameter syntax. Square bracket GET parameter syntax refers to the structure `?param[0]=a¶m[1]=b¶m[2]=c` utilized by PHP, which is parsed by PHP as `$_GET['param']` being of type array. This issue has been patched in version 2.1.4. • https://github.com/NamelessMC/Nameless/security/advisories/GHSA-5984-mhcp-cq2x • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31120 – NamelessMC Vulnerable to Cookie-Based View Count Manipulation
https://notcve.org/view.php?id=CVE-2025-31120
18 Apr 2025 — NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, an insecure view count mechanism in the forum page allows an unauthenticated attacker to artificially increase the view count. The application relies on a client-side cookie (nl-topic-[tid]) (or session variable for guests) to determine if a view should be counted. When a client does not provide the cookie, every page request increments the counter, leading to incorrect view metrics. This issue h... • https://github.com/NamelessMC/Nameless/security/advisories/GHSA-8jv7-77jw-h646 • CWE-565: Reliance on Cookies without Validation and Integrity Checking •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31118 – NamelessMC Has Forum Reply Submission Time Limit Bypass
https://notcve.org/view.php?id=CVE-2025-31118
18 Apr 2025 — NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, forum quick reply feature (view_topic.php) does not implement any spam prevention mechanism. This allows authenticated users to continuously post replies without any time restriction, resulting in an uncontrolled surge of posts that can disrupt normal operations. This issue has been patched in version 2.2.0. • https://github.com/NamelessMC/Nameless/security/advisories/GHSA-jhvp-mwj4-922m • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30357 – NamelessMC Forum Topic Deletion Triggered by Unrelated User Deletion
https://notcve.org/view.php?id=CVE-2025-30357
18 Apr 2025 — NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, if a malicious user is leaving spam comments on many topics then an administrator, unable to manually remove each spam comment, may delete the malicious account. Once an administrator deletes the malicious user's account, all their posts (comments) along with the associated topics (by unrelated users) will be marked as deleted. This issue has been patched in version 2.2.0. • https://github.com/NamelessMC/Nameless/security/advisories/GHSA-22mc-7c9m-gv8h • CWE-706: Use of Incorrectly-Resolved Name or Reference •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30158 – NamelessMC Forum iframe width/height abuse causing UI-based Denial of Service
https://notcve.org/view.php?id=CVE-2025-30158
18 Apr 2025 — NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, the forum allows users to post iframe elements inside forum topics/comments/feed with no restriction on the iframe's width and height attributes. This allows an authenticated attacker to perform a UI-based denial of service (DoS) by injecting oversized iframes that block the forum UI and disrupt normal user interactions. This issue has been patched in version 2.2.0. • https://github.com/NamelessMC/Nameless/security/advisories/GHSA-2prx-rgr7-hq5f • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-29784 – NamelessMC Has Lack of Length Validation for s Parameter in GET Requests
https://notcve.org/view.php?id=CVE-2025-29784
18 Apr 2025 — NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, the s parameter in GET requests for forum search functionality lacks length validation, allowing attackers to submit excessively long search queries. This oversight can lead to performance degradation and potential denial-of-service (DoS) attacks. This issue has been patched in version 2.2.0. • https://github.com/NamelessMC/Nameless/security/advisories/GHSA-4hrq-rf96-c2jm • CWE-20: Improper Input Validation CWE-130: Improper Handling of Length Parameter Inconsistency CWE-1284: Improper Validation of Specified Quantity in Input •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22142 – Cross-site Scripting in NamelessMC
https://notcve.org/view.php?id=CVE-2025-22142
13 Jan 2025 — NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In affected versions an admin can add the ability to have users fill out an additional field and users can inject javascript code into it that would be activated once a staffer visits the user's profile on staff panel. As a result an attacker can execute javascript code on the staffer's computer. This issue has been addressed in version 2.1.3 and all users are advised to upgrade. There are no known workarounds for this vuln... • https://github.com/NamelessMC/Nameless/releases/tag/v2.1.3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22144 – Account Takeover in NamelessMC
https://notcve.org/view.php?id=CVE-2025-22144
13 Jan 2025 — NamelessMC is a free, easy to use & powerful website software for Minecraft servers. A user with admincp.core.emails or admincp.users.edit permissions can validate users and an attacker can reset their password. When the account is successfully approved by email the reset code is NULL, but when the account is manually validated by a user with admincp.core.emails or admincp.users.edit permissions then the reset_code will no longer be NULL but empty. An attacker can request http://localhost/nameless/index.php... • https://github.com/NamelessMC/Nameless/releases/tag/v2.1.3 • CWE-610: Externally Controlled Reference to a Resource in Another Sphere •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2820 – Session Fixation in namelessmc/nameless
https://notcve.org/view.php?id=CVE-2022-2820
15 Aug 2022 — Session Fixation in GitHub repository namelessmc/nameless prior to v2.0.2. Un Control de Acceso Inapropiado en el repositorio de GitHub namelessmc/nameless versiones anteriores a v2.0.2. • https://github.com/namelessmc/nameless/commit/469bebc17855720e43f0c8209c88a57d2b55f6de • CWE-384: Session Fixation •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2821 – Missing Critical Step in Authentication in namelessmc/nameless
https://notcve.org/view.php?id=CVE-2022-2821
15 Aug 2022 — Missing Critical Step in Authentication in GitHub repository namelessmc/nameless prior to v2.0.2. Una Paso Crítico Faltante en la Autenticación en el repositorio de GitHub namelessmc/nameless versiones anteriores a v2.0.2. • https://github.com/namelessmc/nameless/commit/98fe4b7fce5509e49e71f1357118db887b8b88e0 • CWE-304: Missing Critical Step in Authentication •