kenny2automate is a Discord bot. In the web interface for server settings, form elements were generated with Discord channel IDs as part of input names. Prior to commit a947d7c, no validation was performed to ensure that the channel IDs submitted actually belonged to the server being configured. Thus anyone who has access to the channel ID they wish to change settings for and the server settings panel for any server could change settings for the requested channel no matter which server it belonged to. Commit a947d7c resolves the issue and has been deployed to the official instance of the bot. The only workaround that exists is to disable the web config entirely by changing it to run on localhost. Note that a workaround is only necessary for those who run their own instance of the bot.
Published 2023-01-02 20:15:10
Updated 2023-01-09 19:53:16
Source GitHub, Inc.
View at NVD,
Vulnerability category: Input validation

Exploit prediction scoring system (EPSS) score for CVE-2023-22452

Probability of exploitation activity in the next 30 days EPSS Score History
~ 15 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-22452

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
GitHub, Inc.

CWE ids for CVE-2023-22452

  • The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
    Assigned by: (Primary)

References for CVE-2023-22452

Products affected by CVE-2023-22452

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to terms of use!