CVE-2025-22144 in Namelessinfo

Summary

by MITRE • 01/13/2025

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. A user with admincp.core.emails or admincp.users.edit permissions can validate users and an attacker can reset their password. When the account is successfully approved by email the reset code is NULL, but when the account is manually validated by a user with admincp.core.emails or admincp.users.edit permissions then the reset_code will no longer be NULL but empty. An attacker can request http://localhost/nameless/index.php?route=/forgot_password/&c= and reset the password. As a result an attacker may compromise another users password and take over their account. This issue has been addressed in release version 2.1.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 01/14/2025

This vulnerability exists within NamelessMC version 2.1.2 and earlier, where a privilege escalation flaw allows authenticated attackers with specific administrative permissions to compromise user accounts. The vulnerability stems from inconsistent handling of password reset mechanisms when user accounts transition from manual validation to email validation processes. When administrators with permissions including admincp.core.emails or admincp.users.edit manually validate user accounts, the system fails to properly initialize the reset_code field, leaving it as an empty string rather than NULL. This inconsistency creates a security gap that attackers can exploit to gain unauthorized access to user accounts.

The technical implementation flaw involves the password reset functionality's conditional logic that treats manually validated accounts differently from email-validated accounts. When email validation occurs, the reset_code remains NULL, but manual validation sets reset_code to an empty string, creating a discrepancy in the system's security state. This inconsistency allows attackers to bypass normal authentication flows and request password resets for accounts that have been manually validated. The vulnerability specifically affects the forgot_password endpoint at route /forgot_password/&c= where the system processes reset requests without proper validation of the account's actual reset state.

The operational impact of this vulnerability extends beyond simple account compromise, as it enables attackers to perform account takeover operations that could lead to complete server control. An attacker with the required administrative permissions can validate user accounts and then exploit the reset_code inconsistency to reset any user's password, effectively gaining unauthorized access to their accounts. This vulnerability directly impacts the principle of least privilege and could allow attackers to escalate their privileges within the system, potentially leading to full administrative control over the Minecraft server's website infrastructure. The attack vector is particularly concerning because it requires only standard administrative permissions, which are often granted to trusted users who may not fully understand the security implications of their access rights.

Mitigation strategies should prioritize immediate upgrade to NamelessMC version 2.1.3 or later, which addresses this specific vulnerability through proper reset_code initialization. System administrators should implement strict access controls and regularly audit administrative permissions to minimize the attack surface. The vulnerability aligns with CWE-284: Improper Access Control and ATT&CK technique T1078.004: Valid Accounts, as it exploits legitimate administrative privileges to compromise user accounts. Organizations should also consider implementing additional monitoring for password reset activities and account validation events, as these operations should be logged and reviewed for suspicious patterns. Security teams should perform regular vulnerability assessments on web applications to identify similar privilege escalation issues that could allow unauthorized access to user accounts and system resources.

Responsible

GitHub M

Reservation

12/30/2024

Disclosure

01/13/2025

Moderation

accepted

CPE

ready

EPSS

0.00729

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!