Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-47765
Summary
Minecraft MOTD Parser is a PHP library to parse minecraft server motd. The "HtmlGenerator" class is subject to potential Cross-site Scripting (XSS) attack through a parsed malformed Minecraft server MOTD. The "HtmlGenerator" iterates through objects of "MotdItem" that are contained in an object of "MotdItemCollection" to generate an HTML string. An attacker can make malicious inputs to the color and text properties of "MotdItem" to inject his own HTML into a web page during web page generation. For example, by sending a malicious MOTD from a Minecraft server under their control that was queried and passed to the HtmlGenerator. This XSS vulnerability exists because the values of these properties are neither filtered nor escaped. This vulnerability affects dev-lancer/minecraft-motd-parser package versions prior to 1.0.6
- LOW
- NETWORK
- LOW
- CHANGED
- REQUIRED
- NONE
- LOW
- NONE
CWE-79 - Cross Site Scripting
Cross-Site Scripting, commonly referred to as XSS, is the most dominant class of vulnerabilities. It allows an attacker to inject malicious code into a pregnable web application and victimize its users. The exploitation of such a weakness can cause severe issues such as account takeover, and sensitive data exfiltration. Because of the prevalence of XSS vulnerabilities and their high rate of exploitation, it has remained in the OWASP top 10 vulnerabilities for years.
References
Advisory Timeline
- Published
