CVE-2021-41273Cross-Site Request Forgery in Panel

CWE-352Cross-Site Request Forgery3 documents3 sources
Severity
4.3MEDIUMNVD
EPSS
0.1%
top 69.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Pterodactyl Panel
Timeline
PublishedNov 17
Latest updateNov 18

Description

Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. Due to improperly configured CSRF protections on two routes, a malicious user could execute a CSRF-based attack against the following endpoints: Sending a test email and Generating a node auto-deployment token. At no point would any data be exposed to the malicious user, this would simply trigger email spam to an administrative user, or generate a single auto-deployment token unexpectedly. This token is n

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDpterodactyl/panel< 1.6.6
Packagistpterodactyl/panel< 1.6.6

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

2
GHSA
Cross-Site Request Forgery allowing sending of test emails and generation of node auto-deployment keys2021-11-18
OSV
Cross-Site Request Forgery allowing sending of test emails and generation of node auto-deployment keys2021-11-18