Anchorr Discord Bot Stored Cross-Site Scripting Vulnerability Allowing Admin Access

A stored cross-site scripting vulnerability has been identified in the Anchorr Discord bot, specifically in versions through 1.4.1. The issue arises within the Jellyseerr user selector, where unescaped display names can be used to inject arbitrary JavaScript. This injected script executes in the context of the Anchorr admin's browser session, calling the authenticated /api/config endpoint, which exposes the full application configuration, including sensitive tokens and API keys. This vulnerability enables an attacker to forge a valid Anchorr session token, gaining full admin access to the dashboard without needing the admin password. The exposed configuration also includes API keys for integrated services, allowing for account takeovers on Jellyfin, Jellyseerr, and Discord.

Impact

Exploitation of this vulnerability allows for unauthorized admin access in Anchorr, with the forged session token indistinguishable from a legitimate one. The vulnerability also leads to the exposure of sensitive API keys and tokens for multiple integrated services, facilitating account takeovers on those platforms.

Reproduction

To reproduce this vulnerability, a Jellyseerr account is needed. First, inject a payload into the Jellyseerr profile display name that exploits the XSS vulnerability. Once the payload is set, an Anchorr admin must be induced to open the dashboard and navigate to the Mappings tab, where the injected script will execute in the admin's browser session. The script can then exfiltrate the JWT secret and other sensitive data from the Anchorr configuration via a beacon to an external server.

Remediation

Users are advised to update to Anchorr version 1.4.2, which addresses the stored XSS vulnerability by sanitizing user input and implementing additional security measures.