XSS vulnerability when listing users on add & modify server pages.
Package
Affected versions
< 0.7.19
>= 1.0.0-rc.0, <= 1.0.0-rc.6
Patched versions
0.7.19
1.0.0-rc.7
Description
Reviewed
Oct 8, 2020
Published to the GitHub Advisory Database
Oct 8, 2020
Last updated
Jan 9, 2023
Impact
An XSS vulnerability exists in versions of Pterodactyl Panel before 0.7.19. Affected versions do not properly sanitize account names before rendering them to the dropdown selector in the admin area when creating or modifying a server.
Patches
This XSS has been addressed in 0.7.19 and will be rolled forwards into the 1.0-rc.7 release.
Workarounds
No workaround exists without manual patching. See https://github.com/pterodactyl/panel/pull/2441/files for the files changed.
For more information
If you have any questions or comments about this advisory please reach out on Discord, or by emailing
dane
atpterodactyl
dotio
.Thank you to Sergej for the responsible disclosure of this issue.
References