Show filters
13 Total Results
Displaying 11-13 of 13
Sort by:
Attacker Value
Unknown

CVE-2021-41129

Disclosure Date: October 06, 2021 (last updated February 23, 2025)
Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. A malicious user can modify the contents of a `confirmation_token` input during the two-factor authentication process to reference a cache value not associated with the login attempt. In rare cases this can allow a malicious actor to authenticate as a random user in the Panel. The malicious user must target an account with two-factor authentication enabled, and then must provide a correct two-factor authentication token before being authenticated as that user. Due to a validation flaw in the logic handling user authentication during the two-factor authentication process a malicious user can trick the system into loading credentials for an arbitrary user by modifying the token sent to the server. This authentication flaw is present in the `LoginCheckpointController@__invoke` method which handles two-factor authentication for a user. This controller looks for a request input parameter called `con…
0
Attacker Value
Unknown

CVE-2021-32699

Disclosure Date: June 22, 2021 (last updated February 22, 2025)
Wings is the control plane software for the open source Pterodactyl game management system. All versions of Pterodactyl Wings prior to `1.4.4` are vulnerable to system resource exhaustion due to improper container process limits being defined. A malicious user can consume more resources than intended and cause downstream impacts to other clients on the same hardware, eventually causing the physical server to stop responding. Users should upgrade to `1.4.4` to mitigate the issue. There is no non-code based workaround for impacted versions of the software. Users running customized versions of this software can manually set a PID limit for containers created.
Attacker Value
Unknown

CVE-2019-1020002

Disclosure Date: July 29, 2019 (last updated November 27, 2024)
Pterodactyl before 0.7.14 with 2FA allows credential sniffing.
0