Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1tNDlmLWhjeHAtNmhtNs0WsA

pterodactyl/panel CSRF allowing an external page to trigger a user logout event

Impact

A malicious user can trigger a user logout if a signed in user visits a malicious website that makes a request to the Panel's sign-out endpoint. This requires a targeted attack against a specific Panel instance, and serves only to sign a user out. No user details are leaked, nor is any user data affected, this is simply an annoyance at worst.

Patches

None.

Workarounds

None.

For more information

If you have any questions or comments about this advisory please contact Tactical Fish#8008 on Discord, or email [email protected].

Permalink: https://github.com/advisories/GHSA-m49f-hcxp-6hm6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tNDlmLWhjeHAtNmhtNs0WsA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 2 years ago
Updated: 7 months ago

Identifiers: GHSA-m49f-hcxp-6hm6, CVE-2021-41176
References:

Repository: https://github.com/pterodactyl/panel
Blast Radius: 1.0

Affected Packages

packagist:pterodactyl/panel

Dependent packages: 0
Dependent repositories: 0
Downloads: 100 total
Affected Version Ranges: >= 1.0.0, < 1.6.3
Fixed in: 1.6.3
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.6.2
All unaffected versions: 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.7.7, 0.7.8, 0.7.9, 0.7.10, 0.7.11, 0.7.12, 0.7.13, 0.7.14, 0.7.15, 0.7.16, 0.7.17, 0.7.18, 0.7.19, 1.6.3, 1.6.5, 1.6.6, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.11.5