CVE-2020-15251

Privilege Escalation in Channelmgnt plug-in for Sopel

Description

In the Channelmgnt plug-in for Sopel (a Python IRC bot) before version 1.0.3, malicious users are able to op/voice and take over a channel. This is an ACL bypass vulnerability. This plugin is bundled with MirahezeBot-Plugins with versions from 9.0.0 and less than 9.0.2 affected. Version 9.0.2 includes 1.0.3 of channelmgnt, and thus is safe from this vulnerability. See referenced GHSA-23pc-4339-95vg.

References

Link	Tags
https://github.com/MirahezeBots/sopel-channelmgnt/security/advisories/GHSA-j257-jfvv-h3x5	third party advisory
https://github.com/MirahezeBots/sopel-channelmgnt/pull/3	third party advisory patch
https://phab.bots.miraheze.wiki/T117	broken link
https://pypi.org/project/sopel-plugins.channelmgnt/	product third party advisory
https://github.com/MirahezeBots/MirahezeBots/security/advisories/GHSA-23pc-4339-95vg	third party advisory
https://phab.bots.miraheze.wiki/phame/live/1/post/1/summary/	vendor advisory broken link

Frequently Asked Questions

What is the severity of CVE-2020-15251?: CVE-2020-15251 has been scored as a high severity vulnerability.
How to fix CVE-2020-15251?: To fix CVE-2020-15251, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2020-15251 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2020-15251 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-15251?: CVE-2020-15251 affects MirahezeBots sopel-channelmgnt.

Description

Categories

CWE-863 – Incorrect Authorization

CWE-862 – Missing Authorization

References

Frequently Asked Questions