Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Reviactyl: OAuth account takeover via auto-linking
Vulnerability Description
Reviactyl is an open-source game server management panel built using Laravel, React, FilamentPHP, Vite, and Go. From version 26.2.0-beta.1 to before version 26.2.0-beta.5, a vulnerability in the OAuth authentication flow allowed automatic linking of social accounts based solely on matching email addresses. An attacker could create or control a social account (e.g., Google, GitHub, Discord) using a victim’s email address and gain full access to the victim's account without knowing their password. This results in a full account takeover with no prior authentication required. This issue has been patched in version 26.2.0-beta.5.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
访问控制不恰当
Vulnerability Title
Reviactyl 访问控制错误漏洞
Vulnerability Description
Reviactyl是Reviactyl开源的一个游戏服务器管理面板。 Reviactyl 26.2.0-beta.1至26.2.0-beta.5之前版本存在访问控制错误漏洞,该漏洞源于OAuth身份验证流程中存在漏洞,仅基于匹配的电子邮件地址自动链接社交账户,可能导致攻击者使用受害者的电子邮件地址创建或控制社交账户,在不知道密码的情况下获得对受害者账户的完全访问权限,实现账户接管。
CVSS Information
N/A
Vulnerability Type
N/A