nvd-json-data-feeds/CVE-2023/CVE-2023-224xx/CVE-2023-22452.json

{
  "id": "CVE-2023-22452",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2023-01-02T20:15:10.163",
  "lastModified": "2024-11-21T07:44:49.990",
  "vulnStatus": "Modified",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "kenny2automate is a Discord bot. In the web interface for server settings, form elements were generated with Discord channel IDs as part of input names. Prior to commit a947d7c, no validation was performed to ensure that the channel IDs submitted actually belonged to the server being configured. Thus anyone who has access to the channel ID they wish to change settings for and the server settings panel for any server could change settings for the requested channel no matter which server it belonged to. Commit a947d7c resolves the issue and has been deployed to the official instance of the bot. The only workaround that exists is to disable the web config entirely by changing it to run on localhost. Note that a workaround is only necessary for those who run their own instance of the bot."
    },
    {
      "lang": "es",
      "value": "kenny2automate es un robot de Discord. En la interfaz web para la configuraci\u00f3n del servidor, los elementos del formulario se generaron con ID de canal de Discord como parte de los nombres de entrada. Antes de confirmar a947d7c, no se realiz\u00f3 ninguna validaci\u00f3n para garantizar que los ID de canal enviados realmente pertenecieran al servidor que se estaba configurando. Por lo tanto, cualquiera que tenga acceso al ID del canal cuya configuraci\u00f3n desea cambiar y al panel de configuraci\u00f3n del servidor de cualquier servidor podr\u00eda cambiar la configuraci\u00f3n del canal solicitado sin importar a qu\u00e9 servidor pertenezca. La confirmaci\u00f3n a947d7c resuelve el problema y se implementa en la instancia oficial del bot. La \u00fanica soluci\u00f3n que existe es deshabilitar completamente la configuraci\u00f3n web cambi\u00e1ndola para que se ejecute en localhost. Tenga en cuenta que una soluci\u00f3n alternativa solo es necesaria para quienes ejecutan su propia instancia del bot."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "availabilityImpact": "NONE"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6
      },
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "availabilityImpact": "NONE"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:kenny2automate_project:kenny2automate:*:*:*:*:*:*:*:*",
              "versionEndExcluding": "a947d7c",
              "matchCriteriaId": "096ADE91-2218-4D24-9731-D0B8EA5432FE"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/Kenny2github/kenny2automate/commit/a947d7ce408687b587c7e6dfd6026f7c4ee31ac2",
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/Kenny2github/kenny2automate/security/advisories/GHSA-73j8-xrcr-q6j7",
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/Kenny2github/kenny2automate/commit/a947d7ce408687b587c7e6dfd6026f7c4ee31ac2",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/Kenny2github/kenny2automate/security/advisories/GHSA-73j8-xrcr-q6j7",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ]
    }
  ]
}