Jackenmen

**Name of the Vulnerable Software and Affected Versions** Red-DiscordBot versions prior to 3.5.10 **Description** A bug in Red's Core API may authorize a user to run a command even when that user doesn't have permissions to manage a channel. This issue affects 3rd-party cogs using the `@commands.can manage channel()` command permission check without additional permission controls. None of the core commands or core cogs are affected. The maintainers of the project are not aware of any public 3rd-party cog utilizing this API at the time of writing this advisory. **Recommendations** For versions prior to 3.5.10, update to version 3.5.10 to resolve the issue. As a temporary workaround, consider unloading any cog using the `@commands.can manage channel()` command permission check until an upgrade to a patched version can be performed.

**Name of the Vulnerable Software and Affected Versions** Red Discord Bot versions prior to 3.4.1 **Description** The issue is an unauthorized privilege escalation exploit in the Mod module, allowing Discord users with high privilege levels within a guild to bypass hierarchy checks under specific conditions. This can lead to destructive actions within the guild. The exploit has been fixed in version 3.4.1. As a temporary workaround, unloading the Mod module or disabling the massban command can render the exploit inaccessible. **Recommendations** For versions prior to 3.4.1, update to version 3.4.1 to completely patch the issue. As a temporary workaround, consider unloading the Mod module with `unload mod` or disabling the `massban` command with `command disable global massban` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Red Discord Bot versions prior to 3.3.12 and 3.4 **Description** The issue allows Discord users with specifically crafted "going live" messages to inject code into the Streams module's going live message, potentially leading to destructive actions and/or access to sensitive information. **Recommendations** For versions prior to 3.3.12 and 3.4, update to version 3.3.12 or 3.4 to completely patch the issue. As a temporary workaround, consider unloading the Streams module with `unload streams` to render the exploit not accessible.