Exploit
CVE-2024-47765

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Oct 4, 2024 / Updated: 46d ago

010
CVSS 6.9EPSS 0.04%Medium
CVE info copied to clipboard

Summary

The Minecraft MOTD Parser, a PHP library used to parse Minecraft server MOTD (Message of the Day), contains a vulnerability in its HtmlGenerator class. This vulnerability allows for potential cross-site scripting (XSS) attacks through a parsed malformed Minecraft server MOTD. The issue arises because the HtmlGenerator iterates through MotdItem objects within a MotdItemCollection to generate HTML strings, but it does not properly filter or escape the values of the color and text properties of MotdItem. This allows an attacker to inject malicious HTML into a web page during generation.

Impact

An attacker could exploit this vulnerability by sending a malicious MOTD from a Minecraft server under their control. When this MOTD is queried and passed to the HtmlGenerator, it could result in the injection of arbitrary HTML into the generated web page. This could lead to various XSS attacks, potentially allowing the attacker to steal sensitive information, manipulate page content, or perform actions on behalf of the user viewing the compromised page. The vulnerability is classified as a Medium severity issue, indicating a significant but not critical level of risk.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been fixed in version 1.0.6 of the Minecraft MOTD Parser library.

Mitigation

To mitigate this vulnerability, it is strongly recommended to update the Minecraft MOTD Parser library to version 1.0.6 or later. If immediate updating is not possible, consider implementing additional input validation and output encoding for any data processed by the HtmlGenerator class, especially for the color and text properties of MotdItem objects. Additionally, implementing Content Security Policy (CSP) headers can provide an extra layer of protection against XSS attacks.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

Vendor Advisory

GitHub Advisories released a security advisory.

Oct 3, 2024 at 11:50 PM
CVE Assignment

NVD published the first details for CVE-2024-47765

Oct 4, 2024 at 3:15 PM
First Article

Feedly found the first article mentioning CVE-2024-47765. See article

Oct 4, 2024 at 3:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 4, 2024 at 3:22 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.6%)

Oct 5, 2024 at 10:04 AM
CVSS

A CVSS base score of 6.9 has been assigned.

Oct 7, 2024 at 5:51 PM / nvd
CVSS

A CVSS base score of 6.1 has been assigned.

Nov 13, 2024 at 2:50 PM / nvd
Static CVE Timeline Graph

Affected Systems

Jgniecki/minecraft_motd_parser
+null more

Exploits

https://github.com/advisories/GHSA-q898-frwq-f3qp
+null more

Patches

Github Advisory
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

Vendor Advisory

[GHSA-q898-frwq-f3qp] Minecraft MOTD Parser's HtmlGenerator vulnerable to XSS
If the HtmlGenerator class of this library is used, this XSS vulnerability can potentially affect: Players visiting Minecraft server list websites (of which there are several dozen online, written in PHP) that display the MOTD. The jgniecki/MinecraftMotdParser PHP library is able to parse the value of the description property, which can be either a string or an array of text components.

News

CVE-2024-47765
The HtmlGenerator class is subject to potential cross-site scripting (XSS) attack through a parsed malformed Minecraft server MOTD. For example by sending a malicious MOTD from a Minecraft server under their control that was queried and passed to the HtmlGenerator.
NA - CVE-2024-47765 - Minecraft MOTD Parser is a PHP library to parse...
Minecraft MOTD Parser is a PHP library to parse minecraft server motd. The HtmlGenerator class is subject to potential cross-site scripting (XSS) attack through a parsed malformed Minecraft server...
CVE-2024-47765
Medium Severity Description Minecraft MOTD Parser is a PHP library to parse minecraft server motd. The HtmlGenerator class is subject to potential cross-site scripting (XSS) attack through a parsed malformed Minecraft server MOTD. The HtmlGenerator iterates through objects of MotdItem that are contained in an object of MotdItemCollection to generate a HTML string. An attacker can make malicious inputs to the color and text properties of MotdItem to inject own HTML into a web page during web page generation. For example by sending a malicious MOTD from a Minecraft server under their control that was queried and passed to the HtmlGenerator. This XSS vulnerability exists because the values of these properties are neither filtered nor escaped. This vulnerability is fixed in 1.0.6. Read more at https://www.tenable.com/cve/CVE-2024-47765
[GHSA-q898-frwq-f3qp] Minecraft MOTD Parser's HtmlGenerator vulnerable to XSS
If the HtmlGenerator class of this library is used, this XSS vulnerability can potentially affect: Players visiting Minecraft server list websites (of which there are several dozen online, written in PHP) that display the MOTD. The jgniecki/MinecraftMotdParser PHP library is able to parse the value of the description property, which can be either a string or an array of text components.
CVE-2024-47765
Minecraft MOTD Parser is a PHP library to parse minecraft server motd. The HtmlGenerator class is subject to potential cross-site scripting (XSS) attack through a parsed malformed Minecraft server MOTD. The HtmlGenerator iterates through objects of MotdItem that are contained in an object of MotdItemCollection to generate a HTML string. An attacker can make malicious inputs to the color and text properties of MotdItem to inject own HTML into a web page during web page generation. For example by sending a malicious MOTD from a Minecraft server under their control that was queried and passed to the HtmlGenerator. This XSS vulnerability exists because the values of these properties are neither filtered nor escaped. This vulnerability is fixed in...
See 5 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI