This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Stored XSS in Anchorr's Web Dashboard user mapping dropdown. π₯ **Consequences**: Malicious scripts persist on the server.β¦
π‘οΈ **Root Cause**: **CWE-79** (Improper Neutralization of Input). The application fails to sanitize user-supplied input in the **user mapping dropdown** before storing it in the database.β¦
π― **Affected**: **Anchorr** (by openVESSL). Specifically versions **1.4.1 and earlier**. It is a Discord bot integrating media search & notifications. If you use the Web Dashboard feature, you are at risk.
Q4What can hackers do? (Privileges/Data)
π **Attacker Capabilities**: Steal **Admin Credentials** & **Session Tokens**. Gain unauthorized access to the Discord bot's configuration. Potentially execute arbitrary commands via the compromised admin session.β¦
π¦ **Public Exploit**: **No**. The data indicates `pocs: []`. While the vulnerability is confirmed, no public Proof-of-Concept (PoC) or automated exploit kit is currently available in the provided data.β¦
π **Self-Check**: 1. Identify if you run **Anchorr < 1.4.2**. 2. Check if you use the **Web Dashboard**. 3. Inspect the **User Mapping** settings for any unusual characters or scripts in dropdown options. 4.β¦
β **Fixed**: **Yes**. The vendor released **v1.4.2** which patches this issue. See the GitHub Advisory (GHSA-qpmq-6wjc-w28q) and the release commit for details. **Upgrade immediately** to v1.4.2+.
Q9What if no patch? (Workaround)
π§ **No Patch Workaround**: If you cannot upgrade: 1. **Disable** the Web Dashboard if not essential. 2. Strictly **sanitize** all input fields in the User Mapping dropdown. 3.β¦
π₯ **Urgency**: **HIGH**. CVSS Score is **9.8** (Critical). Although it requires user interaction, the impact is severe (full credential theft). As a bot admin, your access is critical.β¦