Impact
In one case, users with permission to ban in a channel could construct a malicious ban resulting in injecting HTML when other moderators in the channel are notified of the ban.
In another case, users with permission to queue custom embeds could queue a malicious embed, such that HTML could be injected before the user is prompted to click and allow the embed.
Patches
All server operators should upgrade to the latest commit, or cherry-pick c78ef33 if running a fork.
Workarounds
Disallow untrusted users permission to queue custom embeds or ban/unban in a channel.
References
Thanks to nemo2137 on IRC for reporting this.
Impact
In one case, users with permission to ban in a channel could construct a malicious ban resulting in injecting HTML when other moderators in the channel are notified of the ban.
In another case, users with permission to queue custom embeds could queue a malicious embed, such that HTML could be injected before the user is prompted to click and allow the embed.
Patches
All server operators should upgrade to the latest commit, or cherry-pick c78ef33 if running a fork.
Workarounds
Disallow untrusted users permission to queue custom embeds or ban/unban in a channel.
References
Thanks to nemo2137 on IRC for reporting this.