Flame442

**Name of the Vulnerable Software and Affected Versions** Red-DiscordBot versions prior to 3.5.10 **Description** A bug in Red's Core API may authorize a user to run a command even when that user doesn't have permissions to manage a channel. This issue affects 3rd-party cogs using the `@commands.can manage channel()` command permission check without additional permission controls. None of the core commands or core cogs are affected. The maintainers of the project are not aware of any public 3rd-party cog utilizing this API at the time of writing this advisory. **Recommendations** For versions prior to 3.5.10, update to version 3.5.10 to resolve the issue. As a temporary workaround, consider unloading any cog using the `@commands.can manage channel()` command permission check until an upgrade to a patched version can be performed.

Name of the Vulnerable Software and Affected Versions: WarnSystem versions prior to 1.3.18 Description: A vulnerability has been found in the WarnSystem cog for the Red discord bot, allowing any user to access sensitive information by setting up a specific template that is not properly sanitized. Recommendations: For versions prior to 1.3.18, update to version 1.3.18 or above and type `!warnsysteminfo` to check the version. As a temporary workaround, consider unloading the WarnSystem cog or disabling the `!warnset description` command globally.

Name of the Vulnerable Software and Affected Versions: kennnyshiwa-cogs versions prior to 5a84d60018468e5c0346f7ee74b2b4650a6dade7 Description: A remote code execution (RCE) exploit has been found in the Tickets module of kennnyshiwa-cogs, allowing Discord users to craft a message that can reveal sensitive and harmful information. Recommendations: For versions prior to 5a84d60018468e5c0346f7ee74b2b4650a6dade7, upgrade to version 5a84d60018468e5c0346f7ee74b2b4650a6dade7 to receive a patch. As a temporary workaround, consider unloading the tickets module to render the exploit unusable.