logout CSRF in Pterodactyl Panel
CVE-2021-41176

4.3MEDIUM

Key Information:

Vendor

Pterodactyl

Status
Panel
Vendor
CVE Published:
25 October 2021

What is CVE-2021-41176?

Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. In affected versions of Pterodactyl a malicious user can trigger a user logout if a signed in user visits a malicious website that makes a request to the Panel's sign-out endpoint. This requires a targeted attack against a specific Panel instance, and serves only to sign a user out. No user details are leaked, nor is any user data affected, this is simply an annoyance at worst. This is fixed in version 1.6.3.

Affected Version(s)

panel >= 1.0.0 < 1.6.3

References

https://github.com/pterodactyl/panel/security/advisories/...
x_refsource_CONFIRM
https://github.com/pterodactyl/panel/commit/45999ba4ee1b2...
x_refsource_MISC
https://github.com/pterodactyl/panel/releases/tag/v1.6.3
x_refsource_MISC

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.