Login Sign Up

CVE-2024-34067

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

This vulnerability in Pterodactyl Panel allows cross-site scripting (XSS) attacks when administrators import malicious eggs or access compromised wings instances. Attackers could potentially gain administrator accounts on the panel. Only administrators are directly affected since normal users cannot trigger this vulnerability.

💻 Affected Systems

Products:
  • Pterodactyl Panel
Versions: Versions before 1.11.6
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires administrator privileges to trigger - normal panel users cannot exploit this vulnerability.

📦 What is this software?

Panel by Pterodactyl

View all CVEs affecting Panel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains full administrator access to the Pterodactyl Panel, potentially compromising all managed game servers and panel data.

🟠

Likely Case

An attacker with access to create malicious eggs or compromise wings instances executes XSS payloads to steal administrator session cookies or credentials.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized before execution.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires administrator actions or compromised wings instance access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.11.6

Vendor Advisory: https://github.com/pterodactyl/panel/security/advisories/GHSA-384w-wffr-x63q

Restart Required: Yes

Instructions:

1. Backup your panel database and configuration. 2. Update Pterodactyl Panel to version 1.11.6 using the official update process. 3. Restart the panel service and wings service. 4. Verify the update was successful.

🔧 Temporary Workarounds

No workaround available

all

The vendor states no workaround exists other than updating to the patched version.

🧯 If You Can't Patch

  • Restrict administrator access to trusted personnel only
  • Monitor for suspicious egg imports or wings instance access

🔍 How to Verify

Check if Vulnerable:

Check your Pterodactyl Panel version - if it's below 1.11.6, you are vulnerable.

Check Version:

php artisan p:info

Verify Fix Applied:

Confirm your panel version is 1.11.6 or higher and check that the commit fixes are present in your installation.

📡 Detection & Monitoring

Log Indicators:

  • Unusual egg imports
  • Administrator account activity from unexpected sources
  • XSS payload patterns in egg configuration fields

Network Indicators:

  • Suspicious requests to egg import endpoints
  • Unexpected data exfiltration from panel

SIEM Query:

source="pterodactyl-panel" AND (event="egg.import" OR event="egg.update") AND (payload CONTAINS "script" OR payload CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2024-34067
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: May 3, 2024
Last Updated: June 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-34067, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)