Impact
Unauthenticated users can obtain any role under the bot's top role by using the !reaction_role command. This will create a "React to this message to get role" message in the channel of the attacker's choice. Any role can be specified. Although the bot replies with a stern "Not authorized," it continues with the request happily. After the reaction role message is sent, the attacker can react to the message to obtain the role.
Note that the vulnerable command can be used by any user, and can even be used within DM.
Patches
ef6c54d
Workarounds
Remove OSUBot or demote OSUBot's role.
References
You can contact @YurBoiRene or @ndrewh
ndrewh Analyst
Impact
Unauthenticated users can obtain any role under the bot's top role by using the
!reaction_rolecommand. This will create a "React to this message to get role" message in the channel of the attacker's choice. Any role can be specified. Although the bot replies with a stern "Not authorized," it continues with the request happily. After the reaction role message is sent, the attacker can react to the message to obtain the role.Note that the vulnerable command can be used by any user, and can even be used within DM.
Patches
ef6c54d
Workarounds
Remove OSUBot or demote OSUBot's role.
References
You can contact @YurBoiRene or @ndrewh