CVE-2019-12816

Name of the Vulnerable Software and Affected Versions ZNC versions prior to 1.7.4-rc1

Description The issue is related to insufficient privilege control in the LoadModule, GetModInfo, and GetModPathInfo functions from src/Modules.cpp, which are part of the mechanism for disconnecting clients from an IRC server or a selected ZNC channel. This can be exploited by a remote attacker to elevate privileges and execute arbitrary code by loading a module with a specially crafted user name.

Recommendations For versions prior to 1.7.4-rc1, update to version 1.7.4-rc1 or later to resolve the issue. As a temporary workaround, consider restricting access to the LoadModule function to prevent non-admin users from loading modules until a patch is applied.