Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a CVE vulnerability ID? 
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
New vulnerability? Tell us about it!
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
WS-2022-0039
Good to know:
Date: January 21, 2022
A vulnerability exists in Pterodactyl Panel <= 1.6.6 that could allow a malicious attacker that compromises an API key to generate an authenticated user session that is not revoked when the API key is deleted, thus allowing the malicious user to remain logged in as the user the key belonged to. It is important to note that a malicious user must first compromise an existing API key for a user to exploit this issue. It cannot be exploited by chance, and requires a coordinated attack against an individual account using a known API key.
Language: PHP
Severity Score
Severity Score
Weakness Type (CWE)
Insufficient Session Expiration
CWE-613Top Fix
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | HIGH |
| Privileges Required (PR): | HIGH |
| User Interaction (UI): | REQUIRED |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | HIGH |
| Integrity (I): | HIGH |
| Availability (A): | LOW |