Unauthorized privilege escalation in Mod module

Red Discord Bot before version 3.4.1 has an unauthorized privilege escalation exploit in the Mod module. This exploit allows Discord users with a high privilege level within the guild to bypass hierarchy checks when the application is in a specific condition that is beyond that user's control. By abusing this exploit, it is possible to perform destructive actions within the guild the user has high privileges in. This exploit has been fixed in version 3.4.1. As a workaround, unloading the Mod module with unload mod or, disabling the massban command with command disable global massban can render this exploit not accessible. We still highly recommend updating to 3.4.1 to completely patch this issue.

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

授权机制不正确

Red Discord Bot 安全漏洞

Red Discord Bot是个人开发者的一个 Python 编写的模块化机器人。该机器人软件可根据不同的模块配置完成不同的功能。 Red Discord Bot 3.4.1之前版本存在安全漏洞，该漏洞源于Mod模块中有一个未授权的特权升级漏洞。当应用程序处于超出该用户控制的特定条件时，该漏洞允许公会中具有高特权级别的不一致用户绕过层次结构检查。通过滥用这个漏洞，有可能在用户拥有高特权的行会内执行破坏性的行为。

N/A

N/A