7.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-26249

GHSA ID

GHSA-hm45-mgqm-gjm4

EPSS Score

0.60769%

CWE

CWE-79

Published

12/8/2020

Updated

10/25/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-26249

CVE-2020-26249: Remote Code Execution (RCE) Exploit on Cross Site Scripting (XSS) Vulnerability

Impact

A RCE exploit has been discovered in the Red Discord Bot - Dashboard Webserver: this exploit allows Discord users with specially crafted Server names and Usernames/Nicknames to inject code into the webserver front-end code. By abusing this exploit, it's possible to perform destructive actions and/or access sensitive information.

Patches

This high severity exploit has been fixed on version 0.1.7a.

Workarounds

There are no workarounds, bot owners must upgrade their relevant packages (Dashboard module and Dashboard webserver) in order to patch this issue

References

99d88b8
a6b9785

For more information

If you have any questions or comments about this advisory:

Open an issue in Cog-Creators/Red-Dashboard
Over on the official Red Server or at the Third Party Server Toxic Layer

(GitHub Advisory)

7.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-26249

GHSA ID

GHSA-hm45-mgqm-gjm4

EPSS Score

0.60769%

CWE

CWE-79

Published

12/8/2020

Updated

10/25/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
red-dashboard	pip	<= 0.1.6a	0.1.7a

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key patterns:

In dashboard.html, pre-patch code used ${g.name} and ${g.owner} in template literals to directly populate HTML elements. This allowed injection of arbitrary HTML/JS via malicious Discord server names or usernames.
In guild.html, pre-patch code inserted unescaped rule.name values into <code> elements. The patches introduced HTML escaping (via safe() function) and jQuery's .text() method to properly sanitize output. Both patterns demonstrate classic DOM-based XSS vulnerabilities where user-controlled input was rendered without proper contextual escaping, enabling code execution in the dashboard's privileged environment.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * R** *xploit **s ***n *is*ov*r** in t** R** *is*or* *ot - **s**o*r* W**s*rv*r: t*is *xploit *llows *is*or* us*rs wit* sp**i*lly *r**t** S*rv*r n*m*s *n* Us*rn*m*s/Ni*kn*m*s to inj**t *o** into t** w**s*rv*r *ront-*n* *o**. *y **usin* t*i

Reasoning

T** vuln*r**ility st*ms *rom two k*y p*tt*rns: *. In **s**o*r*.*tml, pr*-p*t** *o** us** `${*.n*m*}` *n* `${*.own*r}` in t*mpl*t* lit*r*ls to *ir**tly popul*t* *TML *l*m*nts. T*is *llow** inj**tion o* *r*itr*ry *TML/JS vi* m*li*ious *is*or* s*rv*r n*

7.7

Basic Information

Concerned about an active attack path?

CVE-2020-26249: Remote Code Execution (RCE) Exploit on Cross Site Scripting (XSS) Vulnerability

Impact

Patches

Workarounds

References

For more information

7.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI