Critical Security Vulnerability

[ProgrammerDan]

https://github.com/DevotedMC/NameLayer/blob/master/namelayer-spigot/src/main/java/vg/civcraft/mc/namelayer/command/commands/ListGroups.java#L45

On first join, a player with the name of an existing player, retains that player's name. It's only changed on rejoin.

Consequently, this method allows that spoofing user, for a single session, to gain access to that player's groups.

[ProgrammerDan]

Inverted here: https://github.com/DevotedMC/NameLayer/blob/master/namelayer-spigot/src/main/java/vg/civcraft/mc/namelayer/listeners/AssociationListener.java#L50

Don't just return, set the name, then return. Bad code.