Remote Code Execution (RCE) Exploit on Cross Site Scripting (XSS) Vulnerability

Red Discord Bot Dashboard is an easy-to-use interactive web dashboard to control your Redbot. In Red Discord Bot before version 0.1.7a an RCE exploit has been discovered. This exploit allows Discord users with specially crafted Server names and Usernames/Nicknames to inject code into the webserver front-end code. By abusing this exploit, it's possible to perform destructive actions and/or access sensitive information. This high severity exploit has been fixed on version 0.1.7a. There are no workarounds, bot owners must upgrade their relevant packages (Dashboard module and Dashboard webserver) in order to patch this issue.

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Red Discord Bot 跨站脚本漏洞

Red Discord Bot是个人开发者的一个 Python 编写的模块化机器人。该机器人软件可根据不同的模块配置完成不同的功能。 Red Discord Bot Dashboard 存在安全漏洞，该漏洞允许不匹配的用户使用特殊的服务器名和用户名昵称将代码注入到webserver前端代码中。通过滥用这种利用，可以执行破坏性操作和或访问敏感信息。

N/A

N/A