PT-2020-14315 · Sopel+1 · Channelmgnt Plug-In+2

Published

2020-10-13

Updated

2021-11-18

CVE-2020-15251

CVSS v3.1

7.7

High

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Sopel Channelmgnt plug-in versions prior to 1.0.3 MirahezeBot-Plugins versions 9.0.0 through 9.0.1

Description The issue allows malicious users to bypass access control lists (ACLs) and take over a channel by op/voicing. This is possible due to a vulnerability in the Channelmgnt plug-in for Sopel, a Python IRC bot.

Recommendations For Sopel Channelmgnt plug-in versions prior to 1.0.3, update to version 1.0.3 to resolve the issue. For MirahezeBot-Plugins versions 9.0.0 through 9.0.1, update to version 9.0.2 or later, which includes the patched Channelmgnt plug-in version 1.0.3. As a temporary workaround, consider disabling the Channelmgnt plug-in until a patch is available.

Fix

Incorrect Authorization

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-862

Related Identifiers

CVE-2020-15251

GHSA-23PC-4339-95VG

GHSA-J257-JFVV-H3X5

PYSEC-2020-110

Affected Products

Channelmgnt Plug-In

Mirahezebot-Plugins

Sopel

PT-2020-14315 · Sopel+1 · Channelmgnt Plug-In+2

CVE-2020-15251

Weakness Enumeration

Related Identifiers

Affected Products

References · 16