CVE-2024-47765

CVE-2024-47765 is a medium-severity cross-site scripting (XSS) vulnerability in dev-lancer/minecraft-motd-parser (composer), affecting versions <= 1.0.5. It is fixed in 1.0.6.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Minecraft MOTD Parser's HtmlGenerator vulnerable to XSS

The HtmlGenerator class is subject to potential cross-site scripting (XSS) attack through a parsed malformed Minecraft server MOTD.

Context

Minecraft server owners can set a so-called MOTD (Message of the Day) for their server that appears next to the server icon and below the server name on the multiplayer server list of a player's Minecraft client. The Minecraft server sends the MOTD in the description property of the Status Response packet. The jgniecki/MinecraftMotdParser PHP library is able to parse the value of the description property, which can be either a string or an array of text components. By utilizing the aforementioned HtmlGenerator class, it is also able to transform the value into an HTML string that can be used to visualize the MOTD on a web page.

Details

The HtmlGenerator iterates through objects of MotdItem that are contained in an object of MotdItemCollection to generate a HTML string. An attacker can make malicious inputs to the color and text properties of MotdItem to inject own HTML into a web page during web page generation. For example by sending a malicious MOTD from a Minecraft server under their control that was queried and passed to the HtmlGenerator.

This XSS vulnerability exists because the values of these properties are neither filtered nor escaped, as can be seen here:

Proof of Concept

JavaScript code can be injected into the HtmlGenerator by parsing either a string via TextParser or an array via ArrayParser. The following code examples demonstrate the vulnerability by triggering the alert dialog of the browser.

XSS via TextParser

<?php

use DevLancer\MinecraftMotdParser\Collection\MotdItemCollection;
use DevLancer\MinecraftMotdParser\Generator\HtmlGenerator;
use DevLancer\MinecraftMotdParser\Parser\TextParser;

$motdCollection = (new TextParser())->parse('<script>alert("XSS on page load")</script>', new MotdItemCollection());

echo (new HtmlGenerator())->generate($motdCollection);

XSS via ArrayParser

<?php

use DevLancer\MinecraftMotdParser\Collection\MotdItemCollection;
use DevLancer\MinecraftMotdParser\Generator\HtmlGenerator;
use DevLancer\MinecraftMotdParser\Parser\ArrayParser;

$motdCollection = (new ArrayParser())->parse([
    [
        'color' => '#" onmouseover="javascript:alert(\'XSS when mouse pointer enters the span element\')"',
        'text' => 'Hover me',
    ],
    [
        'color' => '#000000',
        'text' => '<script>alert("XSS on page load")</script>',
    ]
], new MotdItemCollection());

echo (new HtmlGenerator())->generate($motdCollection);

Impact

If the HtmlGenerator class of this library is used, this XSS vulnerability can potentially affect:

  • Players visiting Minecraft server list websites (of which there are several dozen online, written in PHP) that display the MOTD.
  • Users visiting Minecraft server status websites to query information about a Minecraft server.
  • Server owners managing their Minecraft server via a web interface that displays the MOTD, where the attack could be carried out by a malicious Minecraft server plugin that modifies the MOTD without the server owner's consent.

It is not clear if and which platforms depend on this library.

Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.

CVE-2024-47765 has a CVSS score of 6.1 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.0.6); upgrading removes the vulnerable code path.

Affected versions

dev-lancer/minecraft-motd-parser (<= 1.0.5)

Security releases

dev-lancer/minecraft-motd-parser → 1.0.6 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

I suggest converting all HTML special characters in the values of the color and text properties to HTML entities. The display of the HTML entities will still be correct in the browser, but the XSS vulnerability will be eliminated as the values will no longer be interpreted as HTML by the browser.

This could be achieved by introducing a new private escape function in the HtmlGenerator class:

private function escape(string $text): string
{
    return htmlentities($text, ENT_QUOTES | ENT_HTML5, 'UTF-8');
}

This function should be called in the following two lines:

Frequently Asked Questions

  1. What is CVE-2024-47765? CVE-2024-47765 is a medium-severity cross-site scripting (XSS) vulnerability in dev-lancer/minecraft-motd-parser (composer), affecting versions <= 1.0.5. It is fixed in 1.0.6. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
  2. How severe is CVE-2024-47765? CVE-2024-47765 has a CVSS score of 6.1 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of dev-lancer/minecraft-motd-parser are affected by CVE-2024-47765? dev-lancer/minecraft-motd-parser (composer) versions <= 1.0.5 is affected.
  4. Is there a fix for CVE-2024-47765? Yes. CVE-2024-47765 is fixed in 1.0.6. Upgrade to this version or later.
  5. Is CVE-2024-47765 exploitable, and should I be worried? Whether CVE-2024-47765 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2024-47765 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2024-47765? Upgrade dev-lancer/minecraft-motd-parser to 1.0.6 or later.

Stop the waste.
Protect your environment with Kodem.