CVE-2026-33398
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
NamelessMC is website software for Minecraft servers. In version 2.2.4, modules/Forum/pages/forum/get_quotes.php only checks whether the caller is logged in, then reads a post by attacker-controlled post ID and returns its content. The backend helper in modules/Forum/classes/Forum.php does not enforce forum or topic ACLs. In contrast, the normal topic page in modules/Forum/pages/forum/view_topic.php enforces forum visibility and view_other_topics. Any low-privileged authenticated user can enumerate post IDs and read content from hidden, private, or staff-only forums. Version 2.2.5 fixes the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| NamelessMC | Nameless | = 2.2.4 | affected |
Weaknesses
- CWE-285: CWE-285: Improper Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.