Remote Code Execution in Red Discord Bot
CVE-2020-15147

8.5HIGH

Key Information:

Vendor

Cog-creators

Status
Red-discordbot
Vendor
CVE Published:
21 August 2020

What is CVE-2020-15147?

Red Discord Bot before versions 3.3.12 and 3.4 has a Remote Code Execution vulnerability in the Streams module. This exploit allows Discord users with specifically crafted "going live" messages to inject code into the Streams module's going live message. By abusing this exploit, it's possible to perform destructive actions and/or access sensitive information. As a workaround, unloading the Trivia module with unload streams can render this exploit not accessible. It is highly recommended updating to 3.3.12 or 3.4 to completely patch this issue.

Affected Version(s)

Red-DiscordBot < 3.3.12

References

https://github.com/Cog-Creators/Red-DiscordBot/security/a...
x_refsource_CONFIRM
https://github.com/Cog-Creators/Red-DiscordBot/pull/4183
x_refsource_MISC
https://github.com/Cog-Creators/Red-DiscordBot/pull/4183/...
x_refsource_MISC

CVSS V3.1

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.