NVD Vulnerability Detail

CVE-2020-26249

Summary	Red Discord Bot Dashboard is an easy-to-use interactive web dashboard to control your Redbot. In Red Discord Bot before version 0.1.7a an RCE exploit has been discovered. This exploit allows Discord users with specially crafted Server names and Usernames/Nicknames to inject code into the webserver front-end code. By abusing this exploit, it's possible to perform destructive actions and/or access sensitive information. This high severity exploit has been fixed on version 0.1.7a. There are no workarounds, bot owners must upgrade their relevant packages (Dashboard module and Dashboard webserver) in order to patch this issue.
Publication Date	Dec. 9, 2020, 9:15 a.m.
Registration Date	Jan. 26, 2021, 11:55 a.m.
Last Update	Nov. 21, 2024, 2:19 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:cogboard:red-dashboard:0.1.3:alpha0::::::
cpe:2.3:a:cogboard:red-dashboard:0.1.4:alpha0::::::
cpe:2.3:a:cogboard:red-dashboard:0.1.5:alpha0::::::
cpe:2.3:a:cogboard:red-dashboard:0.1.6:alpha0::::::
cpe:2.3:a:cogboard:red-dashboard:0.1.2:alpha0::::::

Related information, measures and tools

No	URL	タグ
1	https://github.com/Cog-Creators/Red-Dashboard/commit/99d88b840674674166ce005b784ae8e31e955ab1	Patch Third Party Advisory
2	https://github.com/Cog-Creators/Red-Dashboard/commit/99d88b840674674166ce005b784ae8e31e955ab1	Patch Third Party Advisory
3	https://github.com/Cog-Creators/Red-Dashboard/commit/a6b9785338003ec87fb75305e7d1cc2d40c7ab91	Patch Third Party Advisory
4	https://github.com/Cog-Creators/Red-Dashboard/commit/a6b9785338003ec87fb75305e7d1cc2d40c7ab91	Patch Third Party Advisory
5	https://github.com/Cog-Creators/Red-Dashboard/security/advisories/GHSA-hm45-mgqm-gjm4	Patch Third Party Advisory
6	https://github.com/Cog-Creators/Red-Dashboard/security/advisories/GHSA-hm45-mgqm-gjm4	Patch Third Party Advisory
7	https://pypi.org/project/Red-Dashboard	Product Third Party Advisory
8	https://pypi.org/project/Red-Dashboard	Product Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

JVN Vulnerability Information

Red Discord Bot Dashboard におけるクロスサイトスクリプティングの脆弱性

Title	Red Discord Bot Dashboard におけるクロスサイトスクリプティングの脆弱性
Summary	Red Discord Bot Dashboard には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	情報を取得される、および情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Nov. 30, 2020, midnight
Registration Date	July 27, 2021, 4:54 p.m.
Last Update	July 27, 2021, 4:54 p.m.

Affected System

Cog-Creators

Red-Dashboard 0.1.7a 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-26249	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26249
National Vulnerability Database (NVD)
2	CVE-2020-26249	https://nvd.nist.gov/vuln/detail/CVE-2020-26249

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
GitHub
1	Fix unformatted HTML	https://github.com/Cog-Creators/Red-Dashboard/commit/99d88b840674674166ce005b784ae8e31e955ab1
2	Remote Code Execution (RCE) Exploit on Cross Site Scripting (XSS) Vulnerability	https://github.com/Cog-Creators/Red-Dashboard/security/advisories/GHSA-hm45-mgqm-gjm4
3	[UI] Fix SelectPicker not rendering properly	https://github.com/Cog-Creators/Red-Dashboard/commit/a6b9785338003ec87fb75305e7d1cc2d40c7ab91
Python Package Index (PyPI)
4	Red-Dashboard 0.1.8a0	https://pypi.org/project/Red-Dashboard

Change Log

No	Changed Details	Date of change
1	[2021年07月27日] 掲載	July 27, 2021, 4:54 p.m.