CVE-2025-31120 MEDIUM

CVE-2025-31120: NamelessMC Vulnerable to Cookie-Based View Count Manipulation

Vendor Namelessmc
Product Nameless
Weakness CWE-565 · Reliance on cookies
Published April 18, 2025
Last update April 18, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, an insecure view count mechanism in the forum page allows an unauthenticated attacker to artificially increase the view count. The application relies on a client-side cookie (nl-topic-[tid]) (or session variable for guests) to determine if a view should be counted. When a client does not provide the cookie, every page request increments the counter, leading to incorrect view metrics. This issue has been patched in version 2.2.0.

Key dates

02Disclosure timeline

April 18, 2025 CVE published
April 18, 2025 Record updated