CVE-2021-41176Cross-Site Request Forgery in Panel

CWE-352Cross-Site Request Forgery3 documents3 sources
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 62.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Pterodactyl Panel
Timeline
PublishedOct 25

Description

Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. In affected versions of Pterodactyl a malicious user can trigger a user logout if a signed in user visits a malicious website that makes a request to the Panel's sign-out endpoint. This requires a targeted attack against a specific Panel instance, and serves only to sign a user out. **No user details are leaked, nor is any user data affected, this is simply an annoyance at worst.** This is fixed in versio

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

NVDpterodactyl/panel< 1.6.3
Packagistpterodactyl/panel1.0.01.6.3
CVEListV5pterodactyl/panel>= 1.0.0 < 1.6.3

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
pterodactyl/panel CSRF allowing an external page to trigger a user logout event2021-10-25
GHSA
pterodactyl/panel CSRF allowing an external page to trigger a user logout event2021-10-25