Impact
- This issue could be exploited to read internal files from the system and write files into the system resulting in remote code execution
Patches
- This issue has been fixed on 0.0.3 version by adding a regex that validate if there's any arguments on the command. then disallow execution if there's an argument
Workarounds
- To fix this issue from your side, just upgrade discord-recon, if you're unable to do that. then just copy the code from
assets/CommandInjection.py and overwrite your code with the new one. that's the only code required.
Credits
- All of the credits for finding these issues on discord-recon goes to Omar Badran.
For more information
If you have any questions or comments about this advisory:
Impact
Patches
Workarounds
assets/CommandInjection.pyand overwrite your code with the new one. that's the only code required.Credits
For more information
If you have any questions or comments about this advisory: