CVE-2024-49762Cleartext Storage in a File or on Disk in Panel

CWE-313Cleartext Storage in a File or on Disk3 documents3 sources
Severity
4.6MEDIUMNVD
EPSS
0.0%
top 89.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Pterodactyl Panel
Timeline
PublishedOct 24

Description

Pterodactyl is a free, open-source game server management panel. When a user disables two-factor authentication via the Panel, a `DELETE` request with their current password in a query parameter will be sent. While query parameters are encrypted when using TLS, many webservers (including ones officially documented for use with Pterodactyl) will log query parameters in plain-text, storing a user's password in plain text. Prior to version 1.11.8, if a malicious user obtains access to these logs th

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:NExploitability: 1.5 | Impact: 2.7

Affected Packages2 packages

CVEListV5pterodactyl/panel< 1.11.8
Packagistpterodactyl/panel< 1.11.8

🔴Vulnerability Details

2
GHSA
Pterodactyl Panel has plain-text logging of user passwords when two-factor authentication is disabled2024-10-24
OSV
Pterodactyl Panel has plain-text logging of user passwords when two-factor authentication is disabled2024-10-24
CVE-2024-49762 — Cleartext Storage in a File or on Disk | cvebase