CVE-2020-26249: Remote Code Execution (RCE) Exploit on Cross Site Scripting (XSS) Vulnerability
7.7
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.60769%
CWE
Published
12/8/2020
Updated
10/25/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
red-dashboard | pip | <= 0.1.6a | 0.1.7a |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from two key patterns:
- In dashboard.html, pre-patch code used
${g.name}
and${g.owner}
in template literals to directly populate HTML elements. This allowed injection of arbitrary HTML/JS via malicious Discord server names or usernames. - In guild.html, pre-patch code inserted unescaped
rule.name
values into <code> elements. The patches introduced HTML escaping (viasafe()
function) and jQuery's.text()
method to properly sanitize output. Both patterns demonstrate classic DOM-based XSS vulnerabilities where user-controlled input was rendered without proper contextual escaping, enabling code execution in the dashboard's privileged environment.