Primary

Context

NamelessMC Cross-Site Scripting Vulnerability Allowing JavaScript Execution on Staff Panel

Vulnerability

Patched

A cross-site scripting (XSS) vulnerability has been identified in NamelessMC versions through 2.1.2. This issue allows users to inject JavaScript into an additional field, which is executed when a staff member views the user's profile in the staff panel. Consequently, an attacker could run JavaScript on the staff member's computer.

Impact

Exploitation of this vulnerability allows for the execution of JavaScript on the staff member's computer.

Reproduction

To reproduce this vulnerability, an admin must first enable the option for users to fill out additional fields. Once this is done, a user can inject a script, such as a JavaScript alert, into the new field. When a staff member with the appropriate permissions visits the user's profile, the injected script will execute.

Remediation

Users are advised to upgrade to NamelessMC version 2.1.3, where this vulnerability has been addressed.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.7

exploitability

6.0

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.7

exploitability

6.0

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

NamelessMC Cross-Site Scripting Vulnerability Allowing JavaScript Execution on Staff Panel

Vulnerability

Impact

Reproduction

Remediation

Affected Products

NamelessMC

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating