CVE-2025-31488

Plain Craft Launcher (PCL) is a launcher for Minecraft. PCL allows users to use homepages provided by third parties. If controls such as WebBrowser are used in the homepage, WPF will use Internet Explorer to load the specified webpage. If the user uses a malicious homepage, the attacker can use IE background to access the specified webpage without knowing it. This vulnerability is fixed in 2.9.3.

CVSS

No CVSS.

References

Link	Resource
https://github.com/Hex-Dragon/PCL2/security/advisories/GHSA-wfpw-hfcp-9m73

Configurations

No configuration.

History

07 Apr 2025, 14:17

Type	Values Removed	Values Added
Summary		(es) Plain Craft Launcher (PCL) es un lanzador para Minecraft. PCL permite a los usuarios usar páginas de inicio de terceros. Si se usan controles como WebBrowser en la página de inicio, WPF usará Internet Explorer para cargar la página web especificada. Si el usuario usa una página de inicio maliciosa, el atacante puede usar el fondo de IE para acceder a la página web especificada sin saberlo. Esta vulnerabilidad se corrigió en la versión 2.9.3.

06 Apr 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-06 20:15

Updated : 2025-04-07 14:17

NVD link : CVE-2025-31488

Mitre link : CVE-2025-31488

CVE.ORG link : CVE-2025-31488

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2025-31488", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.9, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-04-06T20:15:14.310", "references": [{"url": "https://github.com/Hex-Dragon/PCL2/security/advisories/GHSA-wfpw-hfcp-9m73", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Plain Craft Launcher (PCL) is a launcher for Minecraft. PCL allows users to use homepages provided by third parties. If controls such as WebBrowser are used in the homepage, WPF will use Internet Explorer to load the specified webpage. If the user uses a malicious homepage, the attacker can use IE background to access the specified webpage without knowing it. This vulnerability is fixed in 2.9.3."}, {"lang": "es", "value": "Plain Craft Launcher (PCL) es un lanzador para Minecraft. PCL permite a los usuarios usar p\u00e1ginas de inicio de terceros. Si se usan controles como WebBrowser en la p\u00e1gina de inicio, WPF usar\u00e1 Internet Explorer para cargar la p\u00e1gina web especificada. Si el usuario usa una p\u00e1gina de inicio maliciosa, el atacante puede usar el fondo de IE para acceder a la p\u00e1gina web especificada sin saberlo. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 2.9.3."}], "lastModified": "2025-04-07T14:17:50.220", "sourceIdentifier": "security-advisories@github.com"}