CVE-2024-35237

Name of the Vulnerable Software and Affected Versions MIT IdentiBot versions prior to commit 48e3e5e7ead6777fa75d57c7711c8e55b501c24e

Description A vulnerability in MIT IdentiBot, an open-source Discord bot, allows unauthorized access to sensitive information about Discord users who have verified their affiliation with MIT. The issue arises because IdentiBot does not check if a server is authorized before allowing members to execute certain commands, such as /kerbid, which can reveal a user's full name and other information. This vulnerability affects instances of IdentiBot tied to a "public" Discord application that have not been patched. The estimated number of potentially affected devices or users is not specified.

Recommendations To prevent exploitation of the vulnerability, all vulnerable instances of MIT IdentiBot should be taken offline until they have been updated to the latest version, which contains a patch for this issue, implemented in commit 48e3e5e7ead6777fa75d57c7711c8e55b501c24e. As a temporary workaround, consider disabling the execution of slash and user commands in unauthorized servers until the patch is applied.