Input to functions such as Client.rest.channels.removeBan
is not url-encoded, resulting in specially crafted input such as ../../../channels/{id}
being normalized into the url /api/v10/channels/{id}
, and deleting a channel rather than removing a ban.
encodeURIComponent
before providing it to the library.OceanicJS/Oceanic@8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe
CPE | Name | Operator | Version |
---|---|---|---|
oceanic.js | lt | 1.10.4 |