CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49762 – Pterodactyl Panel has plain-text logging of user passwords when two-factor authentication is disabled
https://notcve.org/view.php?id=CVE-2024-49762
Pterodactyl is a free, open-source game server management panel. When a user disables two-factor authentication via the Panel, a `DELETE` request with their current password in a query parameter will be sent. While query parameters are encrypted when using TLS, many webservers (including ones officially documented for use with Pterodactyl) will log query parameters in plain-text, storing a user's password in plain text. Prior to version 1.11.8, if a malicious user obtains access to these logs they could potentially authenticate against a user's account; assuming they are able to discover the account's email address or username separately. This problem has been patched in version 1.11.8. • https://github.com/pterodactyl/panel/commit/75b59080e2812ced677dab516222b2a3bb34e3a4 https://github.com/pterodactyl/panel/commit/8be2b892c3940bdc0157ccdab16685a72d105dd1 https://github.com/pterodactyl/panel/security/advisories/GHSA-c479-wq8g-57hr • CWE-313: Cleartext Storage in a File or on Disk •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34066 – Arbitrary File Write/Read in Pterodactyl wings
https://notcve.org/view.php?id=CVE-2024-34066
Pterodactyl wings is the server control plane for Pterodactyl Panel. If the Wings token is leaked either by viewing the node configuration or posting it accidentally somewhere, an attacker can use it to gain arbitrary file write and read access on the node the token is associated to. This issue has been addressed in version 1.11.12 and users are advised to upgrade. Users unable to upgrade may enable the `ignore_panel_config_updates` option as a workaround. Pterodactyl Wings es el plano de control del servidor para Pterodactyl Panel. • https://github.com/pterodactyl/wings/commit/5415f8ae07f533623bd8169836dd7e0b933964de https://github.com/pterodactyl/wings/security/advisories/GHSA-gqmf-jqgv-v8fw • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34067 – Multiple cross site scripting (XSS) vulnerabilities in the admin area of Pterodactyl panel
https://notcve.org/view.php?id=CVE-2024-34067
Pterodactyl is a free, open-source game server management panel built with PHP, React, and Go. Importing a malicious egg or gaining access to wings instance could lead to cross site scripting (XSS) on the panel, which could be used to gain an administrator account on the panel. Specifically, the following things are impacted: Egg Docker images and Egg variables: Name, Environment variable, Default value, Description, Validation rules. Additionally, certain fields would reflect malicious input, but it would require the user knowingly entering such input to have an impact. To iterate, this would require an administrator to perform actions and can't be triggered by a normal panel user. • https://github.com/pterodactyl/panel/commit/0dad4c5a488661f9adc27dd311542516d9bfa0f2 https://github.com/pterodactyl/panel/commit/1172d71d31561c4e465dabdf6b838e64de48ad16 https://github.com/pterodactyl/panel/commit/f671046947e4695b5e1c647df79305c1cefdf817 https://github.com/pterodactyl/panel/security/advisories/GHSA-384w-wffr-x63q • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34068 – Server-side Request Forgery during remote file pull in Pterodactyl wings
https://notcve.org/view.php?id=CVE-2024-34068
Pterodactyl wings is the server control plane for Pterodactyl Panel. An authenticated user who has access to a game server is able to bypass the previously implemented access control (GHSA-6rg3-8h8x-5xfv) that prevents accessing internal endpoints of the node hosting Wings in the pull endpoint. This would allow malicious users to potentially access resources on local networks that would otherwise be inaccessible. This issue has been addressed in version 1.11.2 and users are advised to upgrade. Users unable to upgrade may enable the `api.disable_remote_download` option as a workaround. • https://github.com/pterodactyl/wings/commit/c152e36101aba45d8868a9a0eeb890995e8934b8 https://github.com/pterodactyl/wings/security/advisories/GHSA-6rg3-8h8x-5xfv https://github.com/pterodactyl/wings/security/advisories/GHSA-qq22-jj8x-4wwv • CWE-284: Improper Access Control CWE-441: Unintended Proxy or Intermediary ('Confused Deputy') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27102 – Improper isolation of server file access in github.com/pterodactyl/wings
https://notcve.org/view.php?id=CVE-2024-27102
Wings is the server control plane for Pterodactyl Panel. This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can potentially be used to access files and directories on the host system. The full scope of impact is exactly unknown, but reading files outside of a server's base directory (sandbox root) is possible. In order to use this exploit, an attacker must have an existing "server" allocated and controlled by Wings. • https://github.com/pterodactyl/wings/commit/d1c0ca526007113a0f74f56eba99511b4e989287 https://github.com/pterodactyl/wings/security/advisories/GHSA-494h-9924-xww9 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-363: Race Condition Enabling Link Following •