Panel
Monthly
{!! !!}` directive. Because notifications flow bidirectionally between users and admins, a regular user can hijack an admin session - yielding privilege escalation across a scope-changed (S:C) trust boundary - and a malicious admin can pivot back to target users. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the attack path is straightforward given an authenticated low-privileged account and an admin reading the ticket queue.
CtrlPanel versions 1.1.1 and prior expose administrative DataTable endpoints without enforcing admin-level authorization, allowing any authenticated low-privileged user to retrieve sensitive records that should be restricted to administrators. The flaw stems from a gap between route-prefix-level middleware and per-endpoint permission enforcement: routes under /admin/ appear protected but datatable() methods lack role verification, making the protection illusory. Exploitation yields access to user PII, payment and transaction records, active coupon codes, role/permission structure, server ownership mappings, and support ticket contents - a significant confidentiality breach. No public exploit or CISA KEV listing is identified at time of analysis; a vendor-released patch is available in version 1.2.0.
JWT signature verification bypass in ConvoyPanel 3.9.0-beta through 4.5.0 allows unauthenticated remote attackers to forge authentication tokens and impersonate any user account. The JWTService::decode() method validates only time-based claims while ignoring cryptographic signatures, enabling complete authentication bypass in the SSO flow by crafting tokens with arbitrary user_uuid values. CVSS 9.8 (Critical) with network attack vector, low complexity, and no privileges required. No public exploit identified at time of analysis, though the vulnerability mechanism is straightforward to exploit given the technical details in the GitHub advisory.
Missing authorization validation in Pterodactyl Wings prior to version 1.12.1 allows authenticated nodes to access and manipulate servers across different nodes without proper ownership verification. An attacker with a valid node secret token can retrieve sensitive installation scripts, alter server installation states, and modify transfer statuses for servers they should not have access to. The vulnerability requires network access and valid node credentials but carries high impact due to potential exposure of secrets and cross-node server manipulation.
Pterodactyl is a free, open-source game server management panel. Pterodactyl implements rate limits that are applied to the total number of resources (e.g. [CVSS 6.5 MEDIUM]
Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. [CVSS 6.5 MEDIUM]
Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. [CVSS 5.4 MEDIUM]
{!! !!}` directive. Because notifications flow bidirectionally between users and admins, a regular user can hijack an admin session - yielding privilege escalation across a scope-changed (S:C) trust boundary - and a malicious admin can pivot back to target users. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the attack path is straightforward given an authenticated low-privileged account and an admin reading the ticket queue.
CtrlPanel versions 1.1.1 and prior expose administrative DataTable endpoints without enforcing admin-level authorization, allowing any authenticated low-privileged user to retrieve sensitive records that should be restricted to administrators. The flaw stems from a gap between route-prefix-level middleware and per-endpoint permission enforcement: routes under /admin/ appear protected but datatable() methods lack role verification, making the protection illusory. Exploitation yields access to user PII, payment and transaction records, active coupon codes, role/permission structure, server ownership mappings, and support ticket contents - a significant confidentiality breach. No public exploit or CISA KEV listing is identified at time of analysis; a vendor-released patch is available in version 1.2.0.
JWT signature verification bypass in ConvoyPanel 3.9.0-beta through 4.5.0 allows unauthenticated remote attackers to forge authentication tokens and impersonate any user account. The JWTService::decode() method validates only time-based claims while ignoring cryptographic signatures, enabling complete authentication bypass in the SSO flow by crafting tokens with arbitrary user_uuid values. CVSS 9.8 (Critical) with network attack vector, low complexity, and no privileges required. No public exploit identified at time of analysis, though the vulnerability mechanism is straightforward to exploit given the technical details in the GitHub advisory.
Missing authorization validation in Pterodactyl Wings prior to version 1.12.1 allows authenticated nodes to access and manipulate servers across different nodes without proper ownership verification. An attacker with a valid node secret token can retrieve sensitive installation scripts, alter server installation states, and modify transfer statuses for servers they should not have access to. The vulnerability requires network access and valid node credentials but carries high impact due to potential exposure of secrets and cross-node server manipulation.
Pterodactyl is a free, open-source game server management panel. Pterodactyl implements rate limits that are applied to the total number of resources (e.g. [CVSS 6.5 MEDIUM]
Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. [CVSS 6.5 MEDIUM]
Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. [CVSS 5.4 MEDIUM]