In Red Discord Bot before version 3.3.11, a RCE exploit has been discovered in the Trivia module: this exploit allows Discord users with specifically crafted usernames to inject code into the Trivia module\'s leaderboard command. By abusing this exploit, it\'s possible to perform destructive actions and/or access sensitive information. This critical exploit has been fixed on version 3.3.11.
Metrics
CVSS Version: 3.1 |
Base Score: 8.2 HIGH Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
l➤ Impact Metrics: Confidentiality Impact (C)* HIGH Integrity Impact (I)* HIGH Availability Impact (A)* NONE
Weakness Enumeration (CWE)
CWE-ID: CWE-74 CWE Name: CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (
Injection
) Source: Cog-Creators
Common Attack Pattern Enumeration and Classification (CAPEC)