GHSA-5822-pw57-vv37 – pterodactyl/panel

Package

Manager: composer
Name: pterodactyl/panel
Vulnerable Version: >=0 <0.7.19 || >=1.0.0-rc.0 <1.0.0-rc.7

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

XSS vulnerability when listing users on add & modify server pages. ### Impact An XSS vulnerability exists in versions of Pterodactyl Panel before 0.7.19. Affected versions do not properly sanitize account names before rendering them to the dropdown selector in the admin area when creating or modifying a server. ### Patches This XSS has been addressed in 0.7.19 and will be rolled forwards into the 1.0-rc.7 release. ### Workarounds No workaround exists without manual patching. See https://github.com/pterodactyl/panel/pull/2441/files for the files changed. ### For more information If you have any questions or comments about this advisory please reach out on Discord, or by emailing `dane` at `pterodactyl` dot `io`. _Thank you to Sergej for the responsible disclosure of this issue._

Metadata

Created: 2020-10-08T20:13:19Z
Modified: 2021-10-04T21:25:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/10/GHSA-5822-pw57-vv37/GHSA-5822-pw57-vv37.json
CWE IDs: ["CWE-79"]
Alternative ID: N/A
Finding: F008
Auto approve: 1