OGP-Website installs prior git commit 52f865a4fba763594453068acf8fa9e3fc38d663 are affected by a type juggling flaw which if exploited can result in authentication bypass without knowledge of the victim account's password.
The bug consists of incorrect data type comparison during user credential verification — a mechanism known as type juggling. An attacker can craft an authentication request in such a way that the comparison returns a positive value despite providing an incorrect or empty password. The vulnerability is present in all versions of OGP-Website preceding the commit with hash 52f865a4fba763594453068acf8fa9e3fc38d663.
An attacker can gain unauthorized access to any user account — including administrative accounts — without knowing the password. As a result, it is possible to take full control of the OGP-Website instance and the game servers it manages.
The OGP-Website installation should be immediately updated to a version containing commit 52f865a4fba763594453068acf8fa9e3fc38d663 or later. Details of the fix are available in the vendor references (pull request #644 in the OpenGamePanel/OGP-Website GitHub repository).
OGP-Website (OpenGamePanel) — all versions preceding commit 52f865a4fba763594453068acf8fa9e3fc38d663
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X