Skip to content

CSRF allowing modification of commands, modules, banphrases through hidden iFrames

Low
pajlada published GHSA-wmfr-qrg4-qc3h May 20, 2021

Package

pajbot

Affected versions

<1.52

Patched versions

1.52

Description

The original security issue was reported to me by @Melonify through proper channels the 18th of May giving me guidance throughout the fixing process

Impact

Hosters of pajbot1

Patches

Hosters should upgrade to v1.52 or stable

Workarounds

The upgrade is simple, adding only one modern dependency. #1248 can be reviewed if a full upgrade is not available

References

Vulnerability tester: https://gist.github.com/Melonify/d8e5d70cdc1bebb871f72dc79d69ac60

For more information

If you have any questions or comments about this advisory:

Severity

Low
2.4
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

CVE ID

CVE-2021-32632

Weaknesses

Credits