CVE-2024-47765

EPSS 0.36%
Veröffentlicht 04.10.2024 15:15:13
Zuletzt bearbeitet 13.11.2024 14:48:37
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Minecraft MOTD Parser's HtmlGenerator vulnerable to XSS

Minecraft MOTD Parser is a PHP library to parse minecraft server motd. The HtmlGenerator class is subject to potential cross-site scripting (XSS) attack through a parsed malformed Minecraft server MOTD. The HtmlGenerator iterates through objects of MotdItem that are contained in an object of MotdItemCollection to generate a HTML string. An attacker can make malicious inputs to the color and text properties of MotdItem to inject own HTML into a web page during web page generation. For example by sending a malicious MOTD from a Minecraft server under their control that was queried and passed to the HtmlGenerator. This XSS vulnerability exists because the values of these properties are neither filtered nor escaped. This vulnerability is fixed in 1.0.6.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Jgniecki ≫ Minecraft Motd Parser Version < 1.0.6

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.36%	0.274

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	6.9	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

https://github.com/jgniecki/MinecraftMotdParser/commit/b0ab9d68a964cd3d74977f39a9e7af0a94509f7c

Patch

https://github.com/jgniecki/MinecraftMotdParser/security/advisories/GHSA-q898-frwq-f3qp

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-47765

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-47765

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-47765

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-47765