CVE-2025-31120

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, an insecure view count mechanism in the forum page allows an unauthenticated attacker to artificially increase the view count. The application relies on a client-side cookie (nl-topic-[tid]) (or session variable for guests) to determine if a view should be counted. When a client does not provide the cookie, every page request increments the counter, leading to incorrect view metrics. This issue has been patched in version 2.2.0.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/NamelessMC/Nameless/commit/9b112c0beab346a38b6f5a51e7773b38c6fc52e7	Patch
https://github.com/NamelessMC/Nameless/releases/tag/v2.2.0	Release Notes
https://github.com/NamelessMC/Nameless/security/advisories/GHSA-8jv7-77jw-h646	Exploit Vendor Advisory
https://github.com/NamelessMC/Nameless/security/advisories/GHSA-8jv7-77jw-h646	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:namelessmc:nameless:*:*:*:*:*:*:*:*

History

13 May 2025, 15:24

Type	Values Removed	Values Added
Summary		(es) NamelessMC es un software web gratuito, fácil de usar y potente para servidores de Minecraft. En la versión 2.1.4 y anteriores, un mecanismo inseguro de conteo de visitas en la página del foro permitía a un atacante no autenticado aumentar artificialmente el conteo. La aplicación utiliza una cookie del cliente (nl-topic-[tid]) (o una variable de sesión para invitados) para determinar si se debe contabilizar una visita. Cuando un cliente no proporciona la cookie, cada solicitud de página incrementa el contador, lo que genera métricas de visitas incorrectas. Este problema se ha corregido en la versión 2.2.0.
First Time		Namelessmc nameless Namelessmc
References	~~() https://github.com/NamelessMC/Nameless/commit/9b112c0beab346a38b6f5a51e7773b38c6fc52e7 -~~	() https://github.com/NamelessMC/Nameless/commit/9b112c0beab346a38b6f5a51e7773b38c6fc52e7 - Patch
References	~~() https://github.com/NamelessMC/Nameless/releases/tag/v2.2.0 -~~	() https://github.com/NamelessMC/Nameless/releases/tag/v2.2.0 - Release Notes
References	~~() https://github.com/NamelessMC/Nameless/security/advisories/GHSA-8jv7-77jw-h646 -~~	() https://github.com/NamelessMC/Nameless/security/advisories/GHSA-8jv7-77jw-h646 - Exploit, Vendor Advisory
CPE		cpe:2.3:a:namelessmc:nameless::::::::

18 Apr 2025, 20:15

Type	Values Removed	Values Added
References	~~() https://github.com/NamelessMC/Nameless/security/advisories/GHSA-8jv7-77jw-h646 -~~	() https://github.com/NamelessMC/Nameless/security/advisories/GHSA-8jv7-77jw-h646 -

18 Apr 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-18 16:15

Updated : 2025-05-13 15:24

NVD link : CVE-2025-31120

Mitre link : CVE-2025-31120

CVE.ORG link : CVE-2025-31120

JSON object : View

Products Affected

namelessmc

nameless

CWE

CWE-565

Reliance on Cookies without Validation and Integrity Checking

5.3 /10