Login Sign Up

CVE-2021-26918

9.8 CRITICAL
Cross-Site Scripting

📋 TL;DR

This vulnerability in ProBot for Discord allows attackers to upload malicious files with double extensions (like .html.jpg) that are served with text/html content type. This could enable cross-site scripting (XSS) attacks or other client-side attacks when users view uploaded content. The vulnerability affects Discord servers using ProBot with the 'Send an image when a user joins' feature enabled.

💻 Affected Systems

Products:
  • ProBot for Discord
Versions: All versions through 2021-02-08
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the 'Send an image when a user joins the server' feature to be enabled. The uploader web service must be accessible.

📦 What is this software?

Bot by Probot

View all CVEs affecting Bot →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could upload malicious HTML/JavaScript files that execute in users' browsers when they join a server, potentially leading to account compromise, credential theft, or malware distribution.

🟠

Likely Case

Cross-site scripting (XSS) attacks where malicious scripts execute in victims' browsers, potentially stealing Discord tokens or session cookies.

🟢

If Mitigated

If proper file type validation is implemented, only legitimate image files would be accepted, preventing malicious uploads.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires ability to upload files to the service. Public proof-of-concept demonstrates file upload with double extensions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None provided

Restart Required: No

Instructions:

No official patch available. Consider disabling the feature or implementing server-side file validation.

🔧 Temporary Workarounds

Disable vulnerable feature

all

Turn off the 'Send an image when a user joins the server' feature in ProBot settings

Implement file validation

all

Add server-side validation to reject files with double extensions and verify actual file types

🧯 If You Can't Patch

  • Disable the image upload feature entirely in ProBot configuration
  • Implement a web application firewall (WAF) rule to block requests with double file extensions

🔍 How to Verify

Check if Vulnerable:

Check if ProBot version is 2021-02-08 or earlier and the image upload feature is enabled

Check Version:

Check ProBot documentation or bot settings for version information

Verify Fix Applied:

Test file upload with double extensions - they should be rejected or properly sanitized

📡 Detection & Monitoring

Log Indicators:

  • File upload requests with double extensions
  • Requests for uploaded files with .html content type

Network Indicators:

  • HTTP POST requests to upload endpoints with suspicious file names
  • Subsequent requests to uploaded malicious files

SIEM Query:

http.method:POST AND (http.uri:*upload* OR http.uri:*image*) AND (http.user_agent:*ProBot* OR http.user_agent:*Discord*) AND (http.request_body:*".html." OR http.request_body:*double_extension*)

📊 Metadata

CVE ID: CVE-2021-26918
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: February 9, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26918, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)