Cross-Site Request Forgery (CSRF) in pterodactyl/panel
Oct 23rd 2021
Attacker is able to logout a user if a logged in user visits attacker website.
This vulnerability is capable of forging user to unintentional logout.
Tested on Firefox, Chrome and Safari.
You use POST instead of GET.
One way ANY could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" ANYWHERE on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out.
This is why it should be a POST with a @csrf token and not GET.
While this cannot harm a users account it can be a great annoyance.