CVE-2025-22142

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In affected versions an admin can add the ability to have users fill out an additional field and users can inject javascript code into it that would be activated once a staffer visits the user's profile on staff panel. As a result an attacker can execute javascript code on the staffer's computer. This issue has been addressed in version 2.1.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/NamelessMC/Nameless/releases/tag/v2.1.3	Release Notes
https://github.com/NamelessMC/Nameless/security/advisories/GHSA-9q22-w64p-g8qm	Exploit Vendor Advisory
https://github.com/NamelessMC/Nameless/security/advisories/GHSA-9q22-w64p-g8qm	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:namelessmc:nameless:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-01-13 20:15

Updated : 2025-05-13 15:19

NVD link : CVE-2025-22142

Mitre link : CVE-2025-22142

CVE.ORG link : CVE-2025-22142

JSON object : View

Products Affected

namelessmc

nameless

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-22142", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-01-13T20:15:29.677", "references": [{"url": "https://github.com/NamelessMC/Nameless/releases/tag/v2.1.3", "tags": ["Release Notes"], "source": "[email protected]"}, {"url": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-9q22-w64p-g8qm", "tags": ["Exploit", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-9q22-w64p-g8qm", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In affected versions an admin can add the ability to have users fill out an additional field and users can inject javascript code into it that would be activated once a staffer visits the user's profile on staff panel. As a result an attacker can execute javascript code on the staffer's computer. This issue has been addressed in version 2.1.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "NamelessMC es un software de sitios web gratuito, f\u00e1cil de usar y potente para servidores de Minecraft. En las versiones afectadas, un administrador puede agregar la capacidad de que los usuarios completen un campo adicional y los usuarios pueden inyectar c\u00f3digo javascript en \u00e9l que se activar\u00eda una vez que un miembro del personal visite el perfil del usuario en el panel del personal. Como resultado, un atacante puede ejecutar c\u00f3digo javascript en la ordenador del miembro del personal. Este problema se ha solucionado en la versi\u00f3n 2.1.3 y se recomienda a todos los usuarios que actualicen. No se conocen Workarounds para esta vulnerabilidad."}], "lastModified": "2025-05-13T15:19:03.390", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:namelessmc:nameless:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4402A4C5-43C3-4436-B207-1374812080DD", "versionEndExcluding": "2.1.3"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}