GHSA-5822-pw57-vv37

Source

https://github.com/advisories/GHSA-5822-pw57-vv37

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/10/GHSA-5822-pw57-vv37/GHSA-5822-pw57-vv37.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5822-pw57-vv37

Published

2020-10-08T20:13:19Z

Modified

2024-12-02T05:28:39.721209Z

Summary

XSS vulnerability when listing users on add & modify server pages.

Details

Impact

An XSS vulnerability exists in versions of Pterodactyl Panel before 0.7.19. Affected versions do not properly sanitize account names before rendering them to the dropdown selector in the admin area when creating or modifying a server.

Patches

This XSS has been addressed in 0.7.19 and will be rolled forwards into the 1.0-rc.7 release.

Workarounds

No workaround exists without manual patching. See https://github.com/pterodactyl/panel/pull/2441/files for the files changed.

For more information

If you have any questions or comments about this advisory please reach out on Discord, or by emailing dane at pterodactyl dot io.

Thank you to Sergej for the responsible disclosure of this issue.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-10-08T20:12:58Z"
}

References

Affected packages

Packagist / pterodactyl/panel

Package

Name: pterodactyl/panel
Purl: pkg:composer/pterodactyl/panel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.7.19

Affected versions

v0.*

v0.1.0-beta

v0.1.1-beta

v0.1.2-beta

v0.2.0-beta

v0.3.0-beta

v0.4.0-beta

v0.4.1-beta

v0.5.0-rc.1

v0.5.0-rc.2

v0.5.0

v0.5.1

v0.5.2

v0.5.3

v0.5.4

v0.5.5

v0.5.6

v0.5.7

v0.6.0-beta.1

v0.6.0-beta.2

v0.6.0-beta.2.1

v0.6.0-rc.1

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.6.4

v0.7.0-beta.1

v0.7.0-beta.2

v0.7.0-beta.3

v0.7.0-beta.4

v0.7.0-rc.1

v0.7.0-rc.2

v0.7.0

v0.7.1

v0.7.2

v0.7.3

v0.7.4

v0.7.5

v0.7.6

v0.7.7

v0.7.8

v0.7.9

v0.7.10

v0.7.11

v0.7.12

v0.7.13

v0.7.14

v0.7.15

v0.7.16

v0.7.17

v0.7.18

Packagist / pterodactyl/panel

Package

Name: pterodactyl/panel
Purl: pkg:composer/pterodactyl/panel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0-rc.0

Fixed

1.0.0-rc.7

Affected versions

v1.*

v1.0.0-rc.1

v1.0.0-rc.2

v1.0.0-rc.3

v1.0.0-rc.4

v1.0.0-rc.5

v1.0.0-rc.6

Database specific

{
    "last_known_affected_version_range": "<= 1.0.0-rc.6"
}