CVE-2025-32389

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-32389

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32389.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-32389

Aliases

GHSA-5984-mhcp-cq2x

Published

2025-04-18T16:15:23Z

Modified

2025-05-28T10:18:53.596398Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Prior to version 2.1.4, NamelessMC is vulnerable to SQL injection by providing an unexpected square bracket GET parameter syntax. Square bracket GET parameter syntax refers to the structure ?param[0]=a&param[1]=b&param[2]=c utilized by PHP, which is parsed by PHP as $_GET['param'] being of type array. This issue has been patched in version 2.1.4.

References

Affected packages

Git / github.com/namelessmc/nameless

Affected ranges

Type: GIT
Repo: https://github.com/namelessmc/nameless
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

02c81c7c45b98fad1ebe3bc085efae18aec4566f

Fixed

c42f526e28bb48d126cd132ab6fa93cc50196b31

Affected versions

v2.*

v2.0.0

v2.0.0-pr1

v2.0.0-pr10

v2.0.0-pr11

v2.0.0-pr12

v2.0.0-pr13

v2.0.0-pr2

v2.0.0-pr3

v2.0.0-pr4

v2.0.0-pr5

v2.0.0-pr6

v2.0.0-pr7

v2.0.0-pr8

v2.0.0-pr9

v2.0.1

v2.0.2

v2.0.3

v2.1.0

v2.1.1

v2.1.2

v2.1.3