CVE-2024-47765: 
PHP vulnerability analysis and mitigation

Minecraft MOTD Parser, a PHP library for parsing Minecraft server MOTD (Message of the Day), contains a cross-site scripting (XSS) vulnerability identified as CVE-2024-47765. The vulnerability was discovered in versions up to 1.0.5 and has been fixed in version 1.0.6. The HtmlGenerator class is susceptible to XSS attacks through malformed Minecraft server MOTD parsing, where an attacker can inject malicious HTML into web pages during generation (GitHub Advisory).

The vulnerability exists in the HtmlGenerator class which iterates through MotdItem objects contained in a MotdItemCollection to generate HTML strings. The core issue stems from insufficient validation and escaping of user input in the color and text properties of MotdItem objects. When processing these properties, the values are directly inserted into the HTML output without proper sanitization, allowing attackers to inject arbitrary HTML and JavaScript code. The vulnerability has been assigned a CVSS v4.0 base score of 6.9 (Medium) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N (NVD).

The vulnerability can affect multiple scenarios including players visiting Minecraft server list websites that display MOTDs, users accessing Minecraft server status websites, and server owners managing their Minecraft servers via web interfaces that display MOTDs. Attackers can exploit this vulnerability by sending malicious MOTDs from Minecraft servers under their control, potentially executing arbitrary JavaScript code in users' browsers (GitHub Advisory).

The vulnerability has been patched in version 1.0.6 by implementing proper HTML escaping for the color and text properties. The fix includes converting all HTML special characters to HTML entities using the htmlentities() function with ENTQUOTES and ENTHTML5 flags. Users are strongly advised to upgrade to version 1.0.6 or later (GitHub Patch).