CVE-2025-54421
BaseFortify
Publication date: 2025-08-18
Last updated on: 2025-08-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| namelessmc | nameless | to 2.2.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54421 is a Stored Cross-Site Scripting (XSS) vulnerability in the SEO component of NamelessMC versions up to 2.2.3. It allows remote authenticated attackers with permissions to the SEO section to inject malicious web scripts or HTML via the `default_keywords` parameter. The application fails to properly neutralize special characters like <, >, and &, enabling attackers to embed scripts that execute in the context of the affected web page. This can be exploited by sending a crafted POST request to the SEO endpoint with a malicious payload. [1]
How can this vulnerability impact me? :
This vulnerability can have a high impact as it allows attackers to execute arbitrary scripts within the web application context. This can lead to unauthorized access to sensitive data (confidentiality impact), modification of data (integrity impact), and potential disruption of service (availability impact). Since the attacker must be authenticated with SEO section access, the risk is limited to users with such privileges, but the consequences remain severe. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to send a crafted POST request to the endpoint /nameless/panel/core/seo/ with a payload containing a script injection in the default_keywords parameter. For example, using curl: curl -X POST -d 'default_keywords=test" autofocus onfocus="alert(document.domain)' https://your-namelessmc-site/nameless/panel/core/seo/ -H 'Cookie: your_auth_cookie'. If the application is vulnerable, the injected script will be stored and executed when the SEO component processes the default_keywords parameter. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade NamelessMC to version 2.2.4 or later, where the vulnerability has been fixed. Additionally, restrict access to the SEO section to trusted users only, as the vulnerability requires authenticated users with SEO permissions to exploit. [1]