Impact Input to functions such as Client.rest.channels.removeBan is not url-encoded, resulting in specially crafted input such as ../../../channels/{id} being normalized into the url /api/v10/channels/{id}, and deleting a channel rather than removing a ban. Workarounds Sanitizing user input, ensuring strings are valid for the purpose they are being used for. Encoding input with encodeURIComponent before providing it to the library. References…Read More
Oceanic allows unsanitized user input to lead to path traversal in URLs
