CVE-2025-22144

Name of the Vulnerable Software and Affected Versions NamelessMC versions prior to 2.1.3

Description The issue allows an attacker to reset user passwords via the forgot password link. This can be achieved when a user with admincp.core.emails or admincp.users.edit permissions manually validates a user account, resulting in an empty reset code. An attacker can exploit this by requesting the "http://localhost/nameless/index.php?route=/forgot password/&c=" endpoint and resetting the password, potentially compromising another user's password and taking over their account.

Recommendations For versions prior to 2.1.3, update to version 2.1.3 to resolve the issue. As a temporary workaround, consider restricting access to the "http://localhost/nameless/index.php?route=/forgot password/&c=" endpoint until the update is applied. Avoid using the forgot password feature for user accounts validated manually by users with admincp.core.emails or admincp.users.edit permissions until the issue is resolved.