### [CVE-2024-39905](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39905)
![](https://img.shields.io/static/v1?label=Product&message=Red-DiscordBot&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3E%3D%203.5.0%2C%20%3C%203.5.10%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=3.5.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-863%3A%20Incorrect%20Authorization&color=brightgreen)

### Description

Red is a fully modular Discord bot. Due to a bug in Red's Core API, 3rd-party cogs using the `@commands.can_manage_channel()` command permission check without additional permission controls may authorize a user to run a command even when that user doesn't have permissions to manage a channel. None of the core commands or core cogs are affected. The maintainers of the project are not aware of any _public_ 3rd-party cog utilizing this API at the time of writing this advisory. The problem was patched and released in version 3.5.10.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/fkie-cad/nvd-json-data-feeds