CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-25203 – Ctrlpanel has stored XSS vulnerability in TicketsController priority field
https://notcve.org/view.php?id=CVE-2025-25203
11 Feb 2025 — CtrlPanel is open-source billing software for hosting providers. Prior to version 1.0, a Cross-Site Scripting (XSS) vulnerability exists in the `TicketsController` and `Moderation/TicketsController` due to insufficient input validation on the `priority` field during ticket creation and unsafe rendering of this field in the moderator panel. Version 1.0 contains a patch for the issue. • https://github.com/Ctrlpanel-gg/panel/commit/393cbde662c7e54829e296eb5815794490d925c7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49762 – Pterodactyl Panel has plain-text logging of user passwords when two-factor authentication is disabled
https://notcve.org/view.php?id=CVE-2024-49762
24 Oct 2024 — Pterodactyl is a free, open-source game server management panel. When a user disables two-factor authentication via the Panel, a `DELETE` request with their current password in a query parameter will be sent. While query parameters are encrypted when using TLS, many webservers (including ones officially documented for use with Pterodactyl) will log query parameters in plain-text, storing a user's password in plain text. Prior to version 1.11.8, if a malicious user obtains access to these logs they could pot... • https://github.com/pterodactyl/panel/commit/75b59080e2812ced677dab516222b2a3bb34e3a4 • CWE-313: Cleartext Storage in a File or on Disk •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34067 – Multiple cross site scripting (XSS) vulnerabilities in the admin area of Pterodactyl panel
https://notcve.org/view.php?id=CVE-2024-34067
03 May 2024 — Pterodactyl is a free, open-source game server management panel built with PHP, React, and Go. Importing a malicious egg or gaining access to wings instance could lead to cross site scripting (XSS) on the panel, which could be used to gain an administrator account on the panel. Specifically, the following things are impacted: Egg Docker images and Egg variables: Name, Environment variable, Default value, Description, Validation rules. Additionally, certain fields would reflect malicious input, but it would ... • https://github.com/pterodactyl/panel/commit/0dad4c5a488661f9adc27dd311542516d9bfa0f2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41273 – Cross-Site Request Forgery allowing sending of test emails and generation of node auto-deployment keys
https://notcve.org/view.php?id=CVE-2021-41273
17 Nov 2021 — Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. Due to improperly configured CSRF protections on two routes, a malicious user could execute a CSRF-based attack against the following endpoints: Sending a test email and Generating a node auto-deployment token. At no point would any data be exposed to the malicious user, this would simply trigger email spam to an administrative user, or generate a single auto-deployment token unexpectedly. This token is not revealed ... • https://github.com/pterodactyl/panel/commit/bf9cbe2c6d5266c6914223e067c56175de7fc3a5 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41176 – logout CSRF in Pterodactyl Panel
https://notcve.org/view.php?id=CVE-2021-41176
25 Oct 2021 — Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. In affected versions of Pterodactyl a malicious user can trigger a user logout if a signed in user visits a malicious website that makes a request to the Panel's sign-out endpoint. This requires a targeted attack against a specific Panel instance, and serves only to sign a user out. **No user details are leaked, nor is any user data affected, this is simply an annoyance at worst.** This is fixed in version 1.6.3. Pte... • https://github.com/pterodactyl/panel/commit/45999ba4ee1b2dcb12b4a2fa2cedfb6b5d66fac2 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41129 – Authentication bypass in Pterodactyl
https://notcve.org/view.php?id=CVE-2021-41129
06 Oct 2021 — Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. A malicious user can modify the contents of a `confirmation_token` input during the two-factor authentication process to reference a cache value not associated with the login attempt. In rare cases this can allow a malicious actor to authenticate as a random user in the Panel. The malicious user must target an account with two-factor authentication enabled, and then must provide a correct two-factor authentication to... • https://github.com/pterodactyl/panel/blob/v1.6.2/CHANGELOG.md#v162 • CWE-287: Improper Authentication CWE-502: Deserialization of Untrusted Data CWE-639: Authorization Bypass Through User-Controlled Key CWE-807: Reliance on Untrusted Inputs in a Security Decision •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2020-26255 – PHP Phar archives could be uploaded and executed in Kirby
https://notcve.org/view.php?id=CVE-2020-26255
08 Dec 2020 — Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can gain access to the server with such a Phar file. Visitors without Panel access *cannot* use this attack vector. The problem has been patched in Kirby 2.5.14 and Kirby 3.4.5. • https://github.com/getkirby-v2/panel/commit/5a569d4e3ddaea2b6628d7ec1472a3e8bc410881 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-26253 – .dev domains treated as local in Kirby
https://notcve.org/view.php?id=CVE-2020-26253
08 Dec 2020 — Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.3.6, and Kirby Panel before version 2.5.14 there is a vulnerability in which the admin panel may be accessed if hosted on a .dev domain. In order to protect new installations on public servers that don't have an admin account for the Panel yet, we block account registration there by default. This is a security feature, which we implemented years ago in Kirby 2. It helps to avoid that you forget registering your first admin account on a public serv... • https://github.com/getkirby-v2/panel/commit/7f9ac1876bacb89fd8f142f5e561a02ebb725baa • CWE-346: Origin Validation Error •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1020002
https://notcve.org/view.php?id=CVE-2019-1020002
29 Jul 2019 — Pterodactyl before 0.7.14 with 2FA allows credential sniffing. Pterodactyl anterior a versión 0.7.14 con 2FA, permite el rastreo de credenciales. • https://github.com/pterodactyl/panel/security/advisories/GHSA-vcm9-hx3q-qwj8 • CWE-203: Observable Discrepancy •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 3CVE-2017-16807 – Kirby CMS < 2.5.7 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-16807
13 Nov 2017 — A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file. Existe una vulnerabilidad de Cross-Site Scripting (XSS) en Kirby Panel en versiones anteriores a la 2.3.3, las versiones 2.4.x anteriores a la 2.4.2 y las versiones 2.5.x anteriores a la 2.5.7 al mostrar un documento SVG especialmente preparado que ha sido subido como archivo de contenido. KirbyCM... • https://packetstorm.news/files/id/144965 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •