NamelessMC Cross-Site Scripting Vulnerability in Dashboard Text Editor Component

A cross-site scripting (XSS) vulnerability has been identified in NamelessMC versions prior to 2.2.3. This vulnerability allows remote authenticated attackers to inject arbitrary web scripts or HTML through the dashboard text editor component. The issue arises because the application does not properly sanitize user input, enabling the injection of malicious code that can be executed when an admin inspects the user's profile or visits certain areas like the cookie editor.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected content.

Reproduction

To reproduce this vulnerability, an authenticated user can inject XSS payloads into their signature via the user settings page. Once the signature is saved, an admin can trigger the XSS by editing the user's profile, where the injected script will be executed. This vulnerability can also be reproduced by injecting scripts into the cookie editor.

Remediation

Users are advised to update to NamelessMC version 2.2.4 or later, where this vulnerability has been patched.