Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-HM45-MGQM-GJM4
HistoryDec 08, 2020 - 11:55 p.m.

Remote Code Execution (RCE) Exploit on Cross Site Scripting (XSS) Vulnerability

2020-12-0823:55:54
CWE-79
GitHub Advisory Database
github.com
39
rce exploit
red discord bot
dashboard webserver
code injection
version 0.1.7a
discord users
sensitive information
package upgrade

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS

0.001

Percentile

40.4%

JSON

Impact

A RCE exploit has been discovered in the Red Discord Bot - Dashboard Webserver: this exploit allows Discord users with specially crafted Server names and Usernames/Nicknames to inject code into the webserver front-end code. By abusing this exploit, it’s possible to perform destructive actions and/or access sensitive information.

Patches

This high severity exploit has been fixed on version 0.1.7a.

Workarounds

There are no workarounds, bot owners must upgrade their relevant packages (Dashboard module and Dashboard webserver) in order to patch this issue

References

  • 99d88b8
  • a6b9785

For more information

If you have any questions or comments about this advisory:

Affected configurations

Vulners
Node
noderednode-red-dashboardRange0.1.6a
VendorProductVersionCPE
noderednode-red-dashboard*cpe:2.3:a:nodered:node-red-dashboard:*:*:*:*:*:*:*:*

Related

osv 3
prion 1
cvelist 1
nvd 1
cve 1
veracode 1
osv
osv
CVE-2020-26249
2020-12-09 00:15:13
Remote Code Execution (RCE) Exploit on Cross Site Scripting (XSS) Vulnerability
2020-12-08 23:55:54
PYSEC-2020-98
2020-12-09 00:15:00
prion
prion
Design/Logic Flaw
2020-12-09 00:15:00
cvelist
cvelist
CVE-2020-26249 Remote Code Execution (RCE) Exploit on Cross Site Scripting (XSS) Vulnerability
2020-12-08 23:55:14
nvd
nvd
CVE-2020-26249
2020-12-09 00:15:13
cve
cve
CVE-2020-26249
2020-12-09 00:15:13
veracode
veracode
Remote Code Execution (RCE)
2020-12-10 06:37:00

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS

0.001

Percentile

40.4%

JSON
Related for GHSA-HM45-MGQM-GJM4
osv3prion1cvelist1nvd1cve1veracode1