CVE-2025-54117
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in NamelessMC's dashboard text editor allows authenticated attackers to inject malicious scripts that execute in victims' browsers. This affects all NamelessMC installations before version 2.2.3. Attackers can steal session cookies, perform actions as the victim, or deface the dashboard.
💻 Affected Systems
- NamelessMC
📦 What is this software?
Nameless by Namelessmc
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full administrative control over the NamelessMC instance, compromise the Minecraft server integration, and pivot to other systems.
Likely Case
Attackers with authenticated access inject malicious scripts that execute when administrators view the dashboard, potentially stealing session tokens and performing unauthorized actions.
If Mitigated
With proper input validation and output encoding, the script payloads would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once access is obtained. The advisory includes details about the vulnerable component.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.4
Vendor Advisory: https://github.com/NamelessMC/Nameless/security/advisories/GHSA-gp3j-j84w-vqxx
Restart Required: No
Instructions:
1. Backup your current NamelessMC installation and database. 2. Download NamelessMC version 2.2.4 or later from the official repository. 3. Replace all files with the new version, preserving your configuration files. 4. Clear any browser caches and test the dashboard functionality.
🔧 Temporary Workarounds
Disable dashboard text editor for non-admins
allRestrict access to the vulnerable text editor component to administrators only through permission settings.
Implement Content Security Policy (CSP)
allAdd a strict CSP header to prevent execution of inline scripts and limit script sources.
Add to web server config: Content-Security-Policy: default-src 'self'; script-src 'self'
🧯 If You Can't Patch
- Restrict dashboard access to trusted administrators only using IP whitelisting or VPN requirements.
- Implement a web application firewall (WAF) with XSS protection rules to block malicious payloads.
🔍 How to Verify
Check if Vulnerable:
Check your NamelessMC version in the admin panel or by examining the core/version.php file. If version is below 2.2.3, you are vulnerable.Check Version:
Check the file: cat /path/to/namelessmc/core/version.php | grep '\$version'Verify Fix Applied:
After updating, verify the version shows 2.2.4 or higher in the admin panel. Test the dashboard text editor functionality to ensure it still works but sanitizes HTML input.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to dashboard endpoints containing script tags or JavaScript code
- Multiple failed authentication attempts followed by successful login and dashboard access
Network Indicators:
- HTTP requests containing <script> tags or JavaScript event handlers in dashboard-related parameters
- Unexpected outbound connections from the NamelessMC server after dashboard access
SIEM Query:
source="namelessmc_logs" AND (uri_path="/dashboard" OR uri_path="/admin") AND (http_method="POST") AND (request_body LIKE "%<script>%" OR request_body LIKE "%javascript:%")