NamelessMC User Deletion Vulnerability Causes Unintended Forum Post Deletion

A vulnerability in NamelessMC versions through 2.1.4 allows for unintended deletion of forum posts when an administrator deletes a user account. This occurs because the deletion process removes all posts by the user, including those on topics created by unrelated users. The vulnerability arises from the application's handling of user deletions, which does not account for the impact on forum topics and posts. This issue has been addressed in version 2.2.0.

Impact

Deleting a user account also deletes all forum posts by that user and any associated topics, disrupting discussions and potentially removing important content.

Reproduction

To reproduce this vulnerability, an administrator must delete a user account that has posted comments on multiple forum topics. The deletion will trigger the removal of all the user's posts and the topics they created, as well as posts from other users in the same topics, due to the cascading delete effects of the database's foreign key constraints.

Remediation

Users can update to NamelessMC version 2.2.0, which addresses this vulnerability.