Remote Code Execution (RCE) Exploit on Cross Site Scripting (XSS) Vulnerability
CVE-2020-26249

7.7HIGH

Key Information:

Vendor

Cog-creators

Status
Red-dashboard
Vendor
CVE Published:
9 December 2020

What is CVE-2020-26249?

Red Discord Bot Dashboard is an easy-to-use interactive web dashboard to control your Redbot. In Red Discord Bot before version 0.1.7a an RCE exploit has been discovered. This exploit allows Discord users with specially crafted Server names and Usernames/Nicknames to inject code into the webserver front-end code. By abusing this exploit, it's possible to perform destructive actions and/or access sensitive information. This high severity exploit has been fixed on version 0.1.7a. There are no workarounds, bot owners must upgrade their relevant packages (Dashboard module and Dashboard webserver) in order to patch this issue.

Affected Version(s)

Red-Dashboard < 0.1.7a

References

https://github.com/Cog-Creators/Red-Dashboard/security/ad...
x_refsource_CONFIRM
https://pypi.org/project/Red-Dashboard
x_refsource_MISC
https://github.com/Cog-Creators/Red-Dashboard/commit/a6b9...
x_refsource_MISC

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.