CVE-2020-26249

Remote Code Execution (RCE) Exploit on Cross Site Scripting (XSS) Vulnerability

CVSS 7.7 HIGHEPSS 1.1%CWE-79

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 7.7EPSS 1.1%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

08 Dec 2020Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Red Discord Bot Dashboard is an easy-to-use interactive web dashboard to control your Redbot. In Red Discord Bot before version 0.1.7a an RCE exploit has been discovered. This exploit allows Discord users with specially crafted Server names and Usernames/Nicknames to inject code into the webserver front-end code. By abusing this exploit, it's possible to perform destructive actions and/or access sensitive information. This high severity exploit has been fixed on version 0.1.7a. There are no workarounds, bot owners must upgrade their relevant packages (Dashboard module and Dashboard webserver) in order to patch this issue.

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Affected products

Cog-Creators · Red-Dashboard

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/Cog-Creators/Red-Dashboard/commit/99d88b840674674166ce005b784ae8e31e955ab1 https://github.com/Cog-Creators/Red-Dashboard/commit/a6b9785338003ec87fb75305e7d1cc2d40c7ab91 https://github.com/Cog-Creators/Red-Dashboard/security/advisories/GHSA-hm45-mgqm-gjm4 https://pypi.org/project/Red-Dashboard