NamelessMC Forum Denial-of-Service Vulnerability via Oversized Iframes

A denial-of-service vulnerability has been identified in NamelessMC versions through 2.1.4. The issue arises in the forum component, where users can post iframe elements without restrictions on the width and height attributes. This flaw allows authenticated attackers to inject oversized iframes that obstruct the forum user interface, disrupting normal interactions. The vulnerability has been patched in version 2.2.0.

Impact

Exploitation of this vulnerability causes a user interface disruption, preventing interaction with forum buttons, menus, and comment fields. When the issue is exploited at scale, it degrades service performance. This problem can affect both administrators and regular users, depending on individual forum permissions.

Reproduction

The vulnerability can be reproduced by posting a comment or topic in the forum that includes an iframe element. The iframe can be manipulated to include excessive width and height values, such as '9999999999', which will visually block important UI elements. This can be done manually or automated with a script that posts the oversized iframes across multiple topics.

Remediation

Users can update to NamelessMC version 2.2.0, where this vulnerability has been fixed.