CVE-2025-22144

216.73.216.233

· Published 13/01/2025 20:15 · Modified 13/01/2025 21:15

Labels: CVE-2025-22144 2025-01-13 CVE-2025-22144 CWE-610 [email protected]

Essential information

Published: 13/01/2025 20:15
Modified: 13/01/2025 21:15
Author: —
Creator: —
CVSS: 9.0 CRITICAL (v3) 9.0 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. A user with admincp.core.emails or admincp.users.edit permissions can validate users and an attacker can reset their password. When the account is successfully approved by email the reset code is NULL, but when the account is manually validated by a user with admincp.core.emails or admincp.users.edit permissions then the reset_code will no longer be NULL but empty. An attacker can request http://localhost/nameless/index.php?route=/forgot_password/&c= and reset the password. As a result an attacker may compromise another users password and take over their account. This issue has been addressed in release version 2.1.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

NVD status

Status: Awaiting Analysis — CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Source: [email protected]
NVD: View on NVD

CVE-2025-22144

Essential information

CVSS metrics

Description

NVD status

References