CVE-2019-1020002

Name of the Vulnerable Software and Affected Versions: Pterodactyl versions prior to 0.7.14

Description: The issue allows malicious users to determine the existence of an account by entering random credentials into the login fields, even when 2FA protections are enabled. This is due to a logical mistake in the original code that waits to verify the user's password until they have provided 2FA credentials. As a result, entering a bad password for a known email can reveal if the account exists by checking if the user is redirected to a 2FA page.

Recommendations: For versions prior to 0.7.14, update to version 0.7.14 or later to resolve the issue. As a temporary workaround, consider disabling 2FA until the update is applied.