Vulnerability-Lookup

CVE-2024-47765 (GCVE-0-2024-47765)

Vulnerability from cvelistv5 – Published: 2024-10-04 14:20 – Updated: 2024-10-04 16:09

Title

Minecraft MOTD Parser's HtmlGenerator vulnerable to XSS

Summary

Minecraft MOTD Parser is a PHP library to parse minecraft server motd. The HtmlGenerator class is subject to potential cross-site scripting (XSS) attack through a parsed malformed Minecraft server MOTD. The HtmlGenerator iterates through objects of MotdItem that are contained in an object of MotdItemCollection to generate a HTML string. An attacker can make malicious inputs to the color and text properties of MotdItem to inject own HTML into a web page during web page generation. For example by sending a malicious MOTD from a Minecraft server under their control that was queried and passed to the HtmlGenerator. This XSS vulnerability exists because the values of these properties are neither filtered nor escaped. This vulnerability is fixed in 1.0.6.

Severity ?

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/jgniecki/MinecraftMotdParser/s…	x_refsource_CONFIRM
	https://github.com/jgniecki/MinecraftMotdParser/c…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	jgniecki	MinecraftMotdParser	Affected: < 1.0.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:jgniecki:minecraftmotdparser:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "minecraftmotdparser",
            "vendor": "jgniecki",
            "versions": [
              {
                "lessThan": "1.0.6",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-47765",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-04T16:06:28.821236Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-04T16:09:22.623Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "MinecraftMotdParser",
          "vendor": "jgniecki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.0.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Minecraft MOTD Parser is a PHP library to parse minecraft server motd. The HtmlGenerator class is subject to potential cross-site scripting (XSS) attack through a parsed malformed Minecraft server MOTD. The HtmlGenerator iterates through objects of MotdItem that are contained in an object of MotdItemCollection to generate a HTML string. An attacker can make malicious inputs to the color and text properties of MotdItem to inject own HTML into a web page during web page generation. For example by sending a malicious MOTD from a Minecraft server under their control that was queried and passed to the HtmlGenerator. This XSS vulnerability exists because the values of these properties are neither filtered nor escaped. This vulnerability is fixed in 1.0.6."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-80",
              "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-04T14:20:24.412Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/jgniecki/MinecraftMotdParser/security/advisories/GHSA-q898-frwq-f3qp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/jgniecki/MinecraftMotdParser/security/advisories/GHSA-q898-frwq-f3qp"
        },
        {
          "name": "https://github.com/jgniecki/MinecraftMotdParser/commit/b0ab9d68a964cd3d74977f39a9e7af0a94509f7c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/jgniecki/MinecraftMotdParser/commit/b0ab9d68a964cd3d74977f39a9e7af0a94509f7c"
        }
      ],
      "source": {
        "advisory": "GHSA-q898-frwq-f3qp",
        "discovery": "UNKNOWN"
      },
      "title": "Minecraft MOTD Parser\u0027s HtmlGenerator vulnerable to XSS"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-47765",
    "datePublished": "2024-10-04T14:20:24.412Z",
    "dateReserved": "2024-09-30T21:28:53.231Z",
    "dateUpdated": "2024-10-04T16:09:22.623Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-47765",
      "date": "2026-05-03",
      "epss": "0.01354",
      "percentile": "0.80214"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-47765\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-10-04T15:15:13.213\",\"lastModified\":\"2024-11-13T14:48:37.050\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Minecraft MOTD Parser is a PHP library to parse minecraft server motd. The HtmlGenerator class is subject to potential cross-site scripting (XSS) attack through a parsed malformed Minecraft server MOTD. The HtmlGenerator iterates through objects of MotdItem that are contained in an object of MotdItemCollection to generate a HTML string. An attacker can make malicious inputs to the color and text properties of MotdItem to inject own HTML into a web page during web page generation. For example by sending a malicious MOTD from a Minecraft server under their control that was queried and passed to the HtmlGenerator. This XSS vulnerability exists because the values of these properties are neither filtered nor escaped. This vulnerability is fixed in 1.0.6.\"},{\"lang\":\"es\",\"value\":\"Minecraft MOTD Parser es una librer\u00eda PHP para analizar MOTD de servidores de Minecraft. La clase HtmlGenerator est\u00e1 sujeta a posibles ataques de cross-site scripting (XSS) a trav\u00e9s de un MOTD de servidor de Minecraft mal formado y analizado. HtmlGenerator itera a trav\u00e9s de objetos de MotdItem que est\u00e1n contenidos en un objeto de MotdItemCollection para generar una cadena HTML. Un atacante puede realizar entradas maliciosas en las propiedades de color y texto de MotdItem para inyectar su propio HTML en una p\u00e1gina web durante la generaci\u00f3n de la p\u00e1gina web. Por ejemplo, enviando un MOTD malicioso desde un servidor de Minecraft bajo su control que fue consultado y pasado a HtmlGenerator. Esta vulnerabilidad XSS existe porque los valores de estas propiedades no se filtran ni se escapan. Esta vulnerabilidad se corrigi\u00f3 en 1.0.6.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"},{\"lang\":\"en\",\"value\":\"CWE-80\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jgniecki:minecraft_motd_parser:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.0.6\",\"matchCriteriaId\":\"9A5DFF0E-62EB-46F9-9BDC-E1B5ED78415D\"}]}]}],\"references\":[{\"url\":\"https://github.com/jgniecki/MinecraftMotdParser/commit/b0ab9d68a964cd3d74977f39a9e7af0a94509f7c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/jgniecki/MinecraftMotdParser/security/advisories/GHSA-q898-frwq-f3qp\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-47765\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-04T16:06:28.821236Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:jgniecki:minecraftmotdparser:*:*:*:*:*:*:*:*\"], \"vendor\": \"jgniecki\", \"product\": \"minecraftmotdparser\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.0.6\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-04T16:09:16.750Z\"}}], \"cna\": {\"title\": \"Minecraft MOTD Parser\u0027s HtmlGenerator vulnerable to XSS\", \"source\": {\"advisory\": \"GHSA-q898-frwq-f3qp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"jgniecki\", \"product\": \"MinecraftMotdParser\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.0.6\"}]}], \"references\": [{\"url\": \"https://github.com/jgniecki/MinecraftMotdParser/security/advisories/GHSA-q898-frwq-f3qp\", \"name\": \"https://github.com/jgniecki/MinecraftMotdParser/security/advisories/GHSA-q898-frwq-f3qp\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/jgniecki/MinecraftMotdParser/commit/b0ab9d68a964cd3d74977f39a9e7af0a94509f7c\", \"name\": \"https://github.com/jgniecki/MinecraftMotdParser/commit/b0ab9d68a964cd3d74977f39a9e7af0a94509f7c\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Minecraft MOTD Parser is a PHP library to parse minecraft server motd. The HtmlGenerator class is subject to potential cross-site scripting (XSS) attack through a parsed malformed Minecraft server MOTD. The HtmlGenerator iterates through objects of MotdItem that are contained in an object of MotdItemCollection to generate a HTML string. An attacker can make malicious inputs to the color and text properties of MotdItem to inject own HTML into a web page during web page generation. For example by sending a malicious MOTD from a Minecraft server under their control that was queried and passed to the HtmlGenerator. This XSS vulnerability exists because the values of these properties are neither filtered nor escaped. This vulnerability is fixed in 1.0.6.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-80\", \"description\": \"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-10-04T14:20:24.412Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-47765\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-04T16:09:22.623Z\", \"dateReserved\": \"2024-09-30T21:28:53.231Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-10-04T14:20:24.412Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-Q898-FRWQ-F3QP

Vulnerability from github – Published: 2024-10-04 18:51 – Updated: 2024-11-13 16:25

Summary

Minecraft MOTD Parser's HtmlGenerator vulnerable to XSS

Details

Summary

The HtmlGenerator class is subject to potential cross-site scripting (XSS) attack through a parsed malformed Minecraft server MOTD.

Context

Minecraft server owners can set a so-called MOTD (Message of the Day) for their server that appears next to the server icon and below the server name on the multiplayer server list of a player's Minecraft client. The Minecraft server sends the MOTD in the description property of the Status Response packet. The jgniecki/MinecraftMotdParser PHP library is able to parse the value of the description property, which can be either a string or an array of text components. By utilizing the aforementioned HtmlGenerator class, it is also able to transform the value into an HTML string that can be used to visualize the MOTD on a web page.

Details

The HtmlGenerator iterates through objects of MotdItem that are contained in an object of MotdItemCollection to generate a HTML string. An attacker can make malicious inputs to the color and text properties of MotdItem to inject own HTML into a web page during web page generation. For example by sending a malicious MOTD from a Minecraft server under their control that was queried and passed to the HtmlGenerator.

This XSS vulnerability exists because the values of these properties are neither filtered nor escaped, as can be seen here: - https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L49 - https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L80

Proof of Concept

JavaScript code can be injected into the HtmlGenerator by parsing either a string via TextParser or an array via ArrayParser. The following code examples demonstrate the vulnerability by triggering the alert dialog of the browser.

XSS via `TextParser`

<?php

use DevLancer\MinecraftMotdParser\Collection\MotdItemCollection;
use DevLancer\MinecraftMotdParser\Generator\HtmlGenerator;
use DevLancer\MinecraftMotdParser\Parser\TextParser;

$motdCollection = (new TextParser())->parse('<script>alert("XSS on page load")</script>', new MotdItemCollection());

echo (new HtmlGenerator())->generate($motdCollection);

XSS via `ArrayParser`

<?php

use DevLancer\MinecraftMotdParser\Collection\MotdItemCollection;
use DevLancer\MinecraftMotdParser\Generator\HtmlGenerator;
use DevLancer\MinecraftMotdParser\Parser\ArrayParser;

$motdCollection = (new ArrayParser())->parse([
    [
        'color' => '#" onmouseover="javascript:alert(\'XSS when mouse pointer enters the span element\')"',
        'text' => 'Hover me',
    ],
    [
        'color' => '#000000',
        'text' => '<script>alert("XSS on page load")</script>',
    ]
], new MotdItemCollection());

echo (new HtmlGenerator())->generate($motdCollection);

Impact

If the HtmlGenerator class of this library is used, this XSS vulnerability can potentially affect: - Players visiting Minecraft server list websites (of which there are several dozen online, written in PHP) that display the MOTD. - Users visiting Minecraft server status websites to query information about a Minecraft server. - Server owners managing their Minecraft server via a web interface that displays the MOTD, where the attack could be carried out by a malicious Minecraft server plugin that modifies the MOTD without the server owner's consent.

It is not clear if and which platforms depend on this library.

Remediation

I suggest converting all HTML special characters in the values of the color and text properties to HTML entities. The display of the HTML entities will still be correct in the browser, but the XSS vulnerability will be eliminated as the values will no longer be interpreted as HTML by the browser.

This could be achieved by introducing a new private escape function in the HtmlGenerator class:

private function escape(string $text): string
{
    return htmlentities($text, ENT_QUOTES | ENT_HTML5, 'UTF-8');
}

This function should be called in the following two lines: - https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L49 Change to: $tags['span'][] = sprintf('color: %s;', $this->escape($motdItem->getColor())); - https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L80 Change to: $value = sprintf($value, $this->escape($motdItem->getText()));

Severity ?

6.1 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.9 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.5"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "dev-lancer/minecraft-motd-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47765"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-04T18:51:35Z",
    "nvd_published_at": "2024-10-04T15:15:13Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe `HtmlGenerator` class is subject to potential cross-site scripting (XSS) attack through a parsed malformed Minecraft server MOTD.\n\n### Context\nMinecraft server owners can set a so-called MOTD (Message of the Day) for their server that appears next to the server icon and below the server name on the multiplayer server list of a player\u0027s Minecraft client. The Minecraft server sends the MOTD in the `description` property of the [Status Response](https://wiki.vg/Server_List_Ping#Status_Response) packet. The [jgniecki/MinecraftMotdParser](https://github.com/jgniecki/MinecraftMotdParser) PHP library is able to parse the value of the `description` property, which can be either a string or an array of text components. By utilizing the aforementioned `HtmlGenerator` class, it is also able to transform the value into an HTML string that can be used to visualize the MOTD on a web page.\n\n### Details\nThe `HtmlGenerator` iterates through objects of `MotdItem` that are contained in an object of `MotdItemCollection` to generate a HTML string. An attacker can make malicious inputs to the `color` and `text` properties of `MotdItem` to inject own HTML into a web page during web page generation. For example by sending a malicious MOTD from a Minecraft server under their control that was queried and passed to the `HtmlGenerator`.\n\nThis XSS vulnerability exists because the values of these properties are neither filtered nor escaped, as can be seen here:\n- https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L49\n- https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L80\n\n### Proof of Concept\nJavaScript code can be injected into the `HtmlGenerator` by parsing either a string via `TextParser` or an array via `ArrayParser`. The following code examples demonstrate the vulnerability by triggering the alert dialog of the browser.\n\n#### XSS via `TextParser`\n```php\n\u003c?php\n\nuse DevLancer\\MinecraftMotdParser\\Collection\\MotdItemCollection;\nuse DevLancer\\MinecraftMotdParser\\Generator\\HtmlGenerator;\nuse DevLancer\\MinecraftMotdParser\\Parser\\TextParser;\n\n$motdCollection = (new TextParser())-\u003eparse(\u0027\u003cscript\u003ealert(\"XSS on page load\")\u003c/script\u003e\u0027, new MotdItemCollection());\n\necho (new HtmlGenerator())-\u003egenerate($motdCollection);\n```\n\n#### XSS via `ArrayParser`\n```php\n\u003c?php\n\nuse DevLancer\\MinecraftMotdParser\\Collection\\MotdItemCollection;\nuse DevLancer\\MinecraftMotdParser\\Generator\\HtmlGenerator;\nuse DevLancer\\MinecraftMotdParser\\Parser\\ArrayParser;\n\n$motdCollection = (new ArrayParser())-\u003eparse([\n    [\n        \u0027color\u0027 =\u003e \u0027#\" onmouseover=\"javascript:alert(\\\u0027XSS when mouse pointer enters the span element\\\u0027)\"\u0027,\n        \u0027text\u0027 =\u003e \u0027Hover me\u0027,\n    ],\n    [\n        \u0027color\u0027 =\u003e \u0027#000000\u0027,\n        \u0027text\u0027 =\u003e \u0027\u003cscript\u003ealert(\"XSS on page load\")\u003c/script\u003e\u0027,\n    ]\n], new MotdItemCollection());\n\necho (new HtmlGenerator())-\u003egenerate($motdCollection);\n```\n\n### Impact\nIf the `HtmlGenerator` class of this library is used, this XSS vulnerability can potentially affect:\n- Players visiting Minecraft server list websites (of which there are several dozen online, written in PHP) that display the MOTD.\n- Users visiting Minecraft server status websites to query information about a Minecraft server.\n- Server owners managing their Minecraft server via a web interface that displays the MOTD, where the attack could be carried out by a malicious Minecraft server plugin that modifies the MOTD without the server owner\u0027s consent.\n\nIt is not clear if and which platforms depend on this library.\n\n### Remediation\nI suggest converting all HTML special characters in the values of the `color` and `text` properties to HTML entities. The display of the HTML entities will still be correct in the browser, but the XSS vulnerability will be eliminated as the values will no longer be interpreted as HTML by the browser.\n\nThis could be achieved by introducing a new private `escape` function in the `HtmlGenerator` class:\n```php\nprivate function escape(string $text): string\n{\n    return htmlentities($text, ENT_QUOTES | ENT_HTML5, \u0027UTF-8\u0027);\n}\n```\n\nThis function should be called in the following two lines:\n- https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L49\nChange to: `$tags[\u0027span\u0027][] = sprintf(\u0027color: %s;\u0027, $this-\u003eescape($motdItem-\u003egetColor()));`\n- https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L80\nChange to: `$value = sprintf($value, $this-\u003eescape($motdItem-\u003egetText()));`",
  "id": "GHSA-q898-frwq-f3qp",
  "modified": "2024-11-13T16:25:58Z",
  "published": "2024-10-04T18:51:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jgniecki/MinecraftMotdParser/security/advisories/GHSA-q898-frwq-f3qp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47765"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jgniecki/MinecraftMotdParser/commit/b0ab9d68a964cd3d74977f39a9e7af0a94509f7c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jgniecki/MinecraftMotdParser"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L49"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L80"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Minecraft MOTD Parser\u0027s HtmlGenerator vulnerable to XSS"
}

FKIE_CVE-2024-47765

Vulnerability from fkie_nvd - Published: 2024-10-04 15:15 - Updated: 2024-11-13 14:48

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/jgniecki/MinecraftMotdParser/commit/b0ab9d68a964cd3d74977f39a9e7af0a94509f7c	Patch
	security-advisories@github.com	https://github.com/jgniecki/MinecraftMotdParser/security/advisories/GHSA-q898-frwq-f3qp	Vendor Advisory

Impacted products

	Vendor	Product	Version
	jgniecki	minecraft_motd_parser	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:jgniecki:minecraft_motd_parser:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9A5DFF0E-62EB-46F9-9BDC-E1B5ED78415D",
              "versionEndExcluding": "1.0.6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Minecraft MOTD Parser is a PHP library to parse minecraft server motd. The HtmlGenerator class is subject to potential cross-site scripting (XSS) attack through a parsed malformed Minecraft server MOTD. The HtmlGenerator iterates through objects of MotdItem that are contained in an object of MotdItemCollection to generate a HTML string. An attacker can make malicious inputs to the color and text properties of MotdItem to inject own HTML into a web page during web page generation. For example by sending a malicious MOTD from a Minecraft server under their control that was queried and passed to the HtmlGenerator. This XSS vulnerability exists because the values of these properties are neither filtered nor escaped. This vulnerability is fixed in 1.0.6."
    },
    {
      "lang": "es",
      "value": "Minecraft MOTD Parser es una librer\u00eda PHP para analizar MOTD de servidores de Minecraft. La clase HtmlGenerator est\u00e1 sujeta a posibles ataques de cross-site scripting (XSS) a trav\u00e9s de un MOTD de servidor de Minecraft mal formado y analizado. HtmlGenerator itera a trav\u00e9s de objetos de MotdItem que est\u00e1n contenidos en un objeto de MotdItemCollection para generar una cadena HTML. Un atacante puede realizar entradas maliciosas en las propiedades de color y texto de MotdItem para inyectar su propio HTML en una p\u00e1gina web durante la generaci\u00f3n de la p\u00e1gina web. Por ejemplo, enviando un MOTD malicioso desde un servidor de Minecraft bajo su control que fue consultado y pasado a HtmlGenerator. Esta vulnerabilidad XSS existe porque los valores de estas propiedades no se filtran ni se escapan. Esta vulnerabilidad se corrigi\u00f3 en 1.0.6."
    }
  ],
  "id": "CVE-2024-47765",
  "lastModified": "2024-11-13T14:48:37.050",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.9,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "LOW",
          "subIntegrityImpact": "LOW",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-10-04T15:15:13.213",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/jgniecki/MinecraftMotdParser/commit/b0ab9d68a964cd3d74977f39a9e7af0a94509f7c"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/jgniecki/MinecraftMotdParser/security/advisories/GHSA-q898-frwq-f3qp"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        },
        {
          "lang": "en",
          "value": "CWE-80"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-47765 (GCVE-0-2024-47765)

GHSA-Q898-FRWQ-F3QP

Summary

Context

Details

Proof of Concept

XSS via TextParser

XSS via ArrayParser

Impact

Remediation

FKIE_CVE-2024-47765

Tags

Sightings

Nomenclature

XSS via `TextParser`

XSS via `ArrayParser`