CVE-2021-41273 MEDIUM

CVE-2021-41273: Cross-Site Request Forgery allowing sending of test emails and generation of node auto-deployment keys

Vendor Pterodactyl
Product panel
Weakness CWE-352 · CSRF
Published November 17, 2021
Last update August 4, 2024
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. Due to improperly configured CSRF protections on two routes, a malicious user could execute a CSRF-based attack against the following endpoints: Sending a test email and Generating a node auto-deployment token. At no point would any data be exposed to the malicious user, this would simply trigger email spam to an administrative user, or generate a single auto-deployment token unexpectedly. This token is not revealed to the malicious user, it is simply created unexpectedly in the system. This has been addressed in release `1.6.6`. Users may optionally manually apply the fixes released in v1.6.6 to patch their own systems.

Key dates

02Disclosure timeline

November 17, 2021 CVE published
August 4, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2021-24809 BP Better Messages < 1.9.9.41 - Multiple CSRF CVE-2024-5815 Cross Site Request Forgery was identified in GitHub Enterprise Server that allowed write in a user owned repository CVE-2025-13143 Poll, Survey & Quiz Maker Plugin by Opinion Stage <= 19.12.0 - Cross-Site Request Forgery to Account Disconnection CVE-2025-23424 WordPress Marquee Style RSS News Ticker plugin <= 3.2.0 - CSRF to Stored Cross Site Scripting (XSS) vulnerability CVE-2024-4172 idcCMS cross-site request forgery