Cocotais Bot Command Injection Vulnerability Allowing Unauthorized @everyone Mentions

A command injection vulnerability has been identified in Cocotais Bot, a QQ robot framework based on qq-bot-sdk. This issue affects versions 1.5.0-test2-hotfix through 1.6.1. The vulnerability arises from the command echoing feature, which allows users to inject special platform tags that trigger privileged behaviors. Specifically, an unauthorized user can use the '/echo <qqbot-at-everyone />' command to make the bot mention all members in a chat, bypassing permission controls. This exploitation can lead to spam and disruption of notification systems.

Impact

Exploitation of this vulnerability allows unauthorized users to send @everyone mentions through the bot, causing all chat members to receive notifications and potentially leading to spam and disruption.

Reproduction

To reproduce this vulnerability, set up a chatbot using the affected Cocotais Bot framework version 1.5.0-test2-hotfix through 1.6.1. Join a chat as a regular user without permission to use @全体成员. Send the message '/echo <qqbot-at-everyone />'. The bot will repeat the message, and the platform will interpret it as an @全体成员 mention, notifying all chat members.

Remediation

Users can upgrade to Cocotais Bot version 1.6.2, which patches this vulnerability.