CVE-2024-49762

Name of the Vulnerable Software and Affected Versions: Pterodactyl versions prior to 1.11.8

Description: When a user disables two-factor authentication via the Panel, a DELETE request with their current password in a query parameter will be sent. While query parameters are encrypted when using TLS, many webservers will log query parameters in plain-text, storing a user's password in plain text. If a malicious user obtains access to these logs, they could potentially authenticate against a user's account, assuming they are able to discover the account's email address or username separately. Users who have ever disabled 2FA on a Panel should change their passwords and consider enabling 2FA if it was left disabled.

Recommendations: To resolve the issue, update to version 1.11.8 or apply the patch manually. As a precaution, users who have ever disabled 2FA should change their passwords and consider enabling 2FA. Panel administrators should consider clearing any access logs that may contain sensitive data.