Impact

Privilege escalation and exploit of the -config command. Anyone is theoretically able to update any configuration of the bot and potentially gain control over the bot's settings.
Every version of v9 before v9.26.7 is affected. Other versions (e.g. v8) are not affected.

Patches

This issue was immediately patched when we discovered it. Everyone is advised to upgrade to v10 as soon as possible, although you can also upgrade to v9.26.7.

Workarounds

A workaround would be to create a command permission overwrite in the Database. The following SQL statement can be executed to create an overwrite that disallows users without ManageGuild permission to run the -config command.

INSERT INTO "public"."command_permission_overwrites" ("guild_id", "commands", "required_discord_permissions", "required_system_permissions", "required_roles", "required_users", "required_channels", "required_level", "disabled", "on_match") 
VALUES ('<guild_id>', '{"config"}', '["ManageGuild"]', 'null', 'null', 'null', 'null', null, 'false', 'Allow');

Run this for every server the bot is in, and replace <guild_id> with the appropriate Guild ID each time.

References

Please join our Discord Server if you have questions.