Description
NamelessMC is website software for Minecraft servers. In version 2.2.4, `modules/Forum/pages/forum/get_quotes.php` only checks whether the caller is logged in, then reads a post by attacker-controlled `post` ID and returns its content. The backend helper in `modules/Forum/classes/Forum.php` does not enforce forum or topic ACLs. In contrast, the normal topic page in `modules/Forum/pages/forum/view_topic.php` enforces forum visibility and `view_other_topics`. Any low-privileged authenticated user can enumerate post IDs and read content from hidden, private, or staff-only forums. Version 2.2.5 fixes the issue.
Published: 2026-06-02
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in NamelessMC 2.2.4 permits any logged‑in user to retrieve the contents of hidden, private or staff‑only forum posts by calling /forum/get_quotes with a user‑controlled post ID. The request only verifies that the caller is authenticated and nowhere checks the forum or topic access control lists; consequently the backend returns the post to the requester regardless of its visibility. This constitutes an improper authorization weakness (CWE‑285).

Affected Systems

This vulnerability affects NamelessMC software supplied by Nameless. It is present in version 2.2.4 and was removed with the release of version 2.2.5. No other products or broader vendor suites are listed as affected.

Risk and Exploitability

The CVSS score of 7.1 highlights a high severity impact. Although the EPSS score is not published and the issue is not listed in the CISA KEV, any authenticated user can enumerate sequential post identifiers and read hidden content with minimal effort, leading to unauthorized disclosure of private forum information. The lack of view or ACL enforcement on the endpoint makes the attack vector trivial once a valid login is available.

Generated by OpenCVE AI on June 2, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update NamelessMC to version 2.2.5 or later to apply the vendor‑supplied fix.
  • If an immediate upgrade is not possible, disable or restrict access to the /forum/get_quotes endpoint so that only privileged users can query it.
  • Verify that all forum and topic view pages correctly enforce ACLs and review ACL settings to prevent accidental exposure of hidden forums.

Generated by OpenCVE AI on June 2, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description NamelessMC is website software for Minecraft servers. In version 2.2.4, `modules/Forum/pages/forum/get_quotes.php` only checks whether the caller is logged in, then reads a post by attacker-controlled `post` ID and returns its content. The backend helper in `modules/Forum/classes/Forum.php` does not enforce forum or topic ACLs. In contrast, the normal topic page in `modules/Forum/pages/forum/view_topic.php` enforces forum visibility and `view_other_topics`. Any low-privileged authenticated user can enumerate post IDs and read content from hidden, private, or staff-only forums. Version 2.2.5 fixes the issue.
Title Authenticated users can read hidden forum posts through `/forum/get_quotes`
Weaknesses CWE-285
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T17:08:08.919Z

Reserved: 2026-03-19T17:02:34.169Z

Link: CVE-2026-33398

cve-icon Vulnrichment

Updated: 2026-06-02T16:59:08.653Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T16:16:36.457

Modified: 2026-06-02T17:16:28.173

Link: CVE-2026-33398

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T16:30:13Z

Weaknesses