Nameless
Monthly
OAuth login CSRF in NamelessMC 2.2.4 and prior enables session swapping by exploiting the absence of server-side state parameter validation during OAuth callback handling. An unauthenticated attacker (PR:N) who controls their own OAuth-linked account can capture a valid callback URL and socially engineer a victim (UI:R) into navigating to it, causing the victim's browser session to become authenticated as the attacker's account - effectively hijacking the victim's logged-in state. No public exploit has been identified and this is not listed in the CISA KEV catalog, but the patch to version 2.2.5 is confirmed via GitHub Security Advisory GHSA-pmpw-2xvh-5xj6.
Broken access control in NamelessMC 2.2.4 (Minecraft community website software) allows any low-privileged authenticated user to read posts from hidden, private, or staff-only forums by sending crafted requests to the get_quotes.php endpoint. The Forum module's quote helper only verifies that the caller is logged in and fails to enforce forum/topic visibility ACLs that the normal topic view does enforce. No public exploit identified at time of analysis, but the issue is trivial to weaponize given an account on the affected site.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable. Public exploit code available.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
OAuth login CSRF in NamelessMC 2.2.4 and prior enables session swapping by exploiting the absence of server-side state parameter validation during OAuth callback handling. An unauthenticated attacker (PR:N) who controls their own OAuth-linked account can capture a valid callback URL and socially engineer a victim (UI:R) into navigating to it, causing the victim's browser session to become authenticated as the attacker's account - effectively hijacking the victim's logged-in state. No public exploit has been identified and this is not listed in the CISA KEV catalog, but the patch to version 2.2.5 is confirmed via GitHub Security Advisory GHSA-pmpw-2xvh-5xj6.
Broken access control in NamelessMC 2.2.4 (Minecraft community website software) allows any low-privileged authenticated user to read posts from hidden, private, or staff-only forums by sending crafted requests to the get_quotes.php endpoint. The Forum module's quote helper only verifies that the caller is logged in and fails to enforce forum/topic visibility ACLs that the normal topic view does enforce. No public exploit identified at time of analysis, but the issue is trivial to weaponize given an account on the affected site.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable. Public exploit code available.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.