8.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15140

GHSA ID

GHSA-55j9-849x-26h4

EPSS Score

0.51174%

CWE

CWE-74

Published

8/21/2020

Updated

10/25/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-15140

CVE-2020-15140: Remote Code Execution in Red Discord Bot

Impact

A RCE exploit has been discovered in the Trivia module: this exploit allows Discord users with specifically crafted usernames to inject code into the Trivia module's leaderboard command. By abusing this exploit, it's possible to perform destructive actions and/or access sensitive information.

Patches

This critical exploit has been fixed on version 3.3.11.

Workarounds

Unloading the Trivia module with unload trivia can render this exploit not accessible. We still highly recommend updating to 3.3.11 to completely patch this issue.

References

https://github.com/Cog-Creators/Red-DiscordBot/pull/4175

For more information

If you have any questions or comments about this advisory:

Open an issue in Cog-Creators/Red-DiscordBot
Over on our Discord server

(GitHub Advisory)

8.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15140

GHSA ID

GHSA-55j9-849x-26h4

EPSS Score

0.51174%

CWE

CWE-74

Published

8/21/2020

Updated

10/25/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Red-DiscordBot	pip	< 3.3.11	3.3.11

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The critical fix in commit 9ab5362 shows removal of a .format() call that processed user-controlled member data. As usernames are external input, using .format() on them without proper sanitization creates a format string vulnerability (CWE-74). The patch removed this insecure string formatting, confirming this was the injection vector. The function's role in leaderboard generation matches the vulnerability description of username-based code injection.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * R** *xploit **s ***n *is*ov*r** in t** Trivi* mo*ul*: t*is *xploit *llows *is*or* us*rs wit* sp**i*i**lly *r**t** us*rn*m*s to inj**t *o** into t** Trivi* mo*ul*'s l****r*o*r* *omm*n*. *y **usin* t*is *xploit, it's possi*l* to p*r*orm **

Reasoning

T** *riti**l *ix in *ommit ******* s*ows r*mov*l o* * `.*orm*t()` **ll t**t pro**ss** us*r-*ontroll** m*m**r **t*. *s us*rn*m*s *r* *xt*rn*l input, usin* `.*orm*t()` on t**m wit*out prop*r s*nitiz*tion *r**t*s * *orm*t strin* vuln*r**ility (*W*-**).

8.2

Basic Information

Concerned about an active attack path?

CVE-2020-15140: Remote Code Execution in Red Discord Bot

Impact

Patches

Workarounds

References

For more information

8.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI