CVE-2023-22452

Name of the Vulnerable Software and Affected Versions kenny2automate versions prior to commit a947d7c

Description The issue concerns a Discord bot where form elements in the web interface for server settings were generated with Discord channel IDs as part of input names. No validation was performed to ensure that the channel IDs submitted actually belonged to the server being configured. This allowed anyone with access to the channel ID and the server settings panel to change settings for the requested channel, regardless of the server it belonged to.

Recommendations For versions prior to commit a947d7c, update to a version that includes commit a947d7c to resolve the issue. As a temporary workaround for those who run their own instance of the bot, consider disabling the web config entirely by changing it to run on localhost.