pocketmine/pocketmine-mp Security Advisories for 3.2.4 (13)
-
PocketMine-MP vulnerable to denial-of-service by sending large modal form responses
Affected version: <4.12.5
Reported by:
GitHub -
PocketMine-MP has improperly handled dye colour IDs in banner NBT, leading to server crash
Affected version: <4.8.1
Reported by:
GitHub -
PocketMine-MP invalid skin geometry JSON data leading to server crash
Affected version: <4.7.2
Reported by:
GitHub -
Denial-of-service vulnerability processing large chat messages containing many newlines
Affected version: <4.2.10
Reported by:
GitHub -
Insufficient type validation in pocketmine/pocketmine-mp
Affected version: <4.2.9
Reported by:
GitHub -
Improperly checked metadata on tools/armour itemstacks received from the client
Affected version: <4.2.4
Reported by:
GitHub -
NaN/INF in serverbound movement packets can crash clients and servers
Affected version: <=3.18.0
Reported by:
GitHub -
Impersonation of other users (passing XBOX Live authentication) by theft of logins in PocketMine-MP
Affected version: >=3.0.0,<4.0.0
Reported by:
GitHub -
Unchecked validity of Facing values in PlayerActionPacket
Affected version: <4.0.6
Reported by:
GitHub -
Uncapped length of skin data fields submitted by players
Affected version: >=4.0.0,<4.0.5|<3.26.5
Reported by:
GitHub -
Book page text, count, and author/title length is not limited in PocketMine-MP
Affected version: >=4.0.0,<4.0.5|<3.26.5
Reported by:
GitHub -
Inability to de-op players if listed in ops.txt with non-lowercase letters
Affected version: <4.0.3
Reported by:
GitHub -
Exploitable inventory component chaining in PocketMine-MP
Affected version: <3.15.4
Reported by:
GitHub