CVE-2024-39905

Name of the Vulnerable Software and Affected Versions Red-DiscordBot versions prior to 3.5.10

Description A bug in Red's Core API may authorize a user to run a command even when that user doesn't have permissions to manage a channel. This issue affects 3rd-party cogs using the @commands.can manage channel() command permission check without additional permission controls. None of the core commands or core cogs are affected. The maintainers of the project are not aware of any public 3rd-party cog utilizing this API at the time of writing this advisory.

Recommendations For versions prior to 3.5.10, update to version 3.5.10 to resolve the issue. As a temporary workaround, consider unloading any cog using the @commands.can manage channel() command permission check until an upgrade to a patched version can be performed.