From 9c4037a37b2c7ffaa778b861ab807c3baf9f0402 Mon Sep 17 00:00:00 2001 From: Robert Schultheis Date: Tue, 8 Dec 2020 16:54:27 -0700 Subject: [PATCH] Add CVE-2020-26249 for GHSA-hm45-mgqm-gjm4 --- 2020/26xxx/CVE-2020-26249.json | 92 +++++++++++++++++++++++++++++++--- 1 file changed, 86 insertions(+), 6 deletions(-) diff --git a/2020/26xxx/CVE-2020-26249.json b/2020/26xxx/CVE-2020-26249.json index d0357b0b810..7c49296832b 100644 --- a/2020/26xxx/CVE-2020-26249.json +++ b/2020/26xxx/CVE-2020-26249.json @@ -1,18 +1,98 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-26249", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Remote Code Execution (RCE) Exploit on Cross Site Scripting (XSS) Vulnerability" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Red-Dashboard", + "version": { + "version_data": [ + { + "version_value": "< 0.1.7a" + } + ] + } + } + ] + }, + "vendor_name": "Cog-Creators" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Red Discord Bot Dashboard is an easy-to-use interactive web dashboard to control your Redbot. In Red Discord Bot before version 0.1.7a an RCE exploit has been discovered. This exploit allows Discord users with specially crafted Server names and Usernames/Nicknames to inject code into the webserver front-end code. By abusing this exploit, it's possible to perform destructive actions and/or access sensitive information.\n\nThis high severity exploit has been fixed on version 0.1.7a.\n\nThere are no workarounds, bot owners must upgrade their relevant packages (Dashboard module and Dashboard webserver) in order to patch this issue." } ] + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.7, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Cross-site Scripting (XSS)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/Cog-Creators/Red-Dashboard/security/advisories/GHSA-hm45-mgqm-gjm4", + "refsource": "CONFIRM", + "url": "https://github.com/Cog-Creators/Red-Dashboard/security/advisories/GHSA-hm45-mgqm-gjm4" + }, + { + "name": "https://pypi.org/project/Red-Dashboard", + "refsource": "MISC", + "url": "https://pypi.org/project/Red-Dashboard" + }, + { + "name": "https://github.com/Cog-Creators/Red-Dashboard/commit/a6b9785338003ec87fb75305e7d1cc2d40c7ab91", + "refsource": "MISC", + "url": "https://github.com/Cog-Creators/Red-Dashboard/commit/a6b9785338003ec87fb75305e7d1cc2d40c7ab91" + }, + { + "name": "https://github.com/Cog-Creators/Red-Dashboard/commit/99d88b840674674166ce005b784ae8e31e955ab1", + "refsource": "MISC", + "url": "https://github.com/Cog-Creators/Red-Dashboard/commit/99d88b840674674166ce005b784ae8e31e955ab1" + } + ] + }, + "source": { + "advisory": "GHSA-hm45-mgqm-gjm4", + "discovery": "UNKNOWN" } } \ No newline at end of file