Anchorr Discord Bot Stored Cross-Site Scripting Vulnerability Allowing Credential Theft

A stored cross-site scripting vulnerability has been identified in the Anchorr Discord bot, specifically in versions through 1.4.1. This vulnerability resides in the web dashboard's User Mapping dropdown, where Discord member display names are rendered without proper sanitization. Unprivileged Discord users can exploit this flaw to inject arbitrary JavaScript that executes in the context of the Anchorr admin's browser. By combining this with a request to the '/api/config' endpoint, which exposes sensitive credentials in plaintext, an attacker can exfiltrate all stored secrets from Anchorr, including the Discord bot token, Jellyfin and Jellyseerr API keys, JWT and webhook secrets, and bcrypt password hashes.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, leading to credential theft. The stolen credentials include the Discord bot token, which can be used to impersonate the bot; Jellyfin and Jellyseerr API keys, granting full access to those services; and administrative JWT secrets, which can be used to forge authentication tokens and gain unauthorized access to the Anchorr dashboard.

Reproduction

To reproduce this vulnerability, a user must first inject a script into their Discord display name using an image tag with an 'onerror' event. This can be done by setting the display name to include an image URL that points to a script. Once the payload is set, the user must then select their Discord account in the Anchorr admin dashboard, which will trigger the execution of the injected JavaScript. The script can then be used to fetch the '/api/config' endpoint, which returns all of Anchorr's stored secrets, and exfiltrate this data to an external server.

Remediation

Users are advised to update to Anchorr version 1.4.2, which addresses this vulnerability by sanitizing user inputs, validating avatar URLs, and implementing security measures such as response headers and authentication rate limiting.