CVE-2021-26918

Name of the Vulnerable Software and Affected Versions: ProBot bot through 2021-02-08 for Discord

Description: The issue allows attackers to interfere with the intended purpose of the "Send an image when a user joins the server" feature, or possibly have unspecified other impact, because the uploader web service allows double extensions (such as .html.jpg) with the text/html content type. The nature of the issue has substantial interaction with customer-controlled configuration.

Recommendations: For ProBot bot through 2021-02-08, consider restricting the file types accepted by the uploader web service to prevent double extensions, such as .html.jpg, from being uploaded with the text/html content type. As a temporary workaround, consider disabling the "Send an image when a user joins the server" feature until a more robust solution is available.