CVE-2024-34712

Name of the Vulnerable Software and Affected Versions Oceanic versions prior to 1.10.4

Description The issue arises from the lack of url-encoding for input to certain functions, such as Client.rest.channels.removeBan. This allows specially crafted input, like ../../../channels/{id}, to be normalized into the url /api/v10/channels/{id}, resulting in unintended actions like deleting a channel instead of removing a ban.

Recommendations For versions prior to 1.10.4, consider updating to version 1.10.4 to resolve the issue. As a temporary workaround, consider sanitizing user input to ensure strings are valid for their intended use. Alternatively, encode input with encodeURIComponent before providing it to the library.