CVE-2020-26249 – red-dashboard

Package

Manager: pip
Name: red-dashboard
Vulnerable Version: >=0 <0.1.7a

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

EPSS: 0.00414 pctl0.60784

Details

Remote Code Execution (RCE) Exploit on Cross Site Scripting (XSS) Vulnerability ### Impact A RCE exploit has been discovered in the Red Discord Bot - Dashboard Webserver: this exploit allows Discord users with specially crafted Server names and Usernames/Nicknames to inject code into the webserver front-end code. By abusing this exploit, it's possible to perform destructive actions and/or access sensitive information. ### Patches This high severity exploit has been fixed on version `0.1.7a`. ### Workarounds There are no workarounds, bot owners must upgrade their relevant packages (Dashboard module and Dashboard webserver) in order to patch this issue ### References - 99d88b8 - a6b9785 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Cog-Creators/Red-Dashboard](https://github.com/Cog-Creators/Red-Dashboard/issues/new/choose) * Over on the official [Red Server](https://discord.gg/red) or at the Third Party Server [Toxic Layer](https://discord.gg/vQZTdB9)

Metadata

Created: 2020-12-08T23:55:54Z
Modified: 2024-10-25T21:50:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/12/GHSA-hm45-mgqm-gjm4/GHSA-hm45-mgqm-gjm4.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-hm45-mgqm-gjm4
Finding: F425
Auto approve: 1