CVE-2025-31120
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
18/04/2025
Last modified:
13/05/2025
Description
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, an insecure view count mechanism in the forum page allows an unauthenticated attacker to artificially increase the view count. The application relies on a client-side cookie (nl-topic-[tid]) (or session variable for guests) to determine if a view should be counted. When a client does not provide the cookie, every page request increments the counter, leading to incorrect view metrics. This issue has been patched in version 2.2.0.
Impact
Base Score 3.x
5.30
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:namelessmc:nameless:*:*:*:*:*:*:*:* | 2.2.0 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/NamelessMC/Nameless/commit/9b112c0beab346a38b6f5a51e7773b38c6fc52e7
- https://github.com/NamelessMC/Nameless/releases/tag/v2.2.0
- https://github.com/NamelessMC/Nameless/security/advisories/GHSA-8jv7-77jw-h646
- https://github.com/NamelessMC/Nameless/security/advisories/GHSA-8jv7-77jw-h646