{"id":"CVE-2023-33198","summary":"Incorrectly Specified Chat Message Destinations in tgstation-server and DreamMaker API","details":"tgstation-server is a production scale tool for BYOND server management. The DreamMaker API (DMAPI) chat channel cache can possibly be poisoned by a tgstation-server (TGS) restart and reattach. This can result in sending chat messages to one of any of the configured IRC or Discord channels for the instance on enabled chat bots. This lasts until the instance's chat channels are updated in TGS or DreamDaemon is restarted. TGS chat commands are unaffected, custom or otherwise.\n","aliases":["GHSA-p2xj-w57r-6f5m"],"modified":"2026-04-10T04:58:10.314198Z","published":"2023-05-30T04:37:13.928Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/33xxx/CVE-2023-33198.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-941"]},"references":[{"type":"WEB","url":"https://github.com/tgstation/tgstation-server/releases/tag/tgstation-server-v5.12.2"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/33xxx/CVE-2023-33198.json"},{"type":"ADVISORY","url":"https://github.com/tgstation/tgstation-server/security/advisories/GHSA-p2xj-w57r-6f5m"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33198"},{"type":"FIX","url":"https://github.com/tgstation/tgstation-server/pull/1493"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tgstation/tgstation-server","events":[{"introduced":"d1f36fece6f715bc85bd5c468618efea10b8a1b7"},{"fixed":"7aa47f79ceb6d658a91420ea339dc46c8df75624"}]}],"versions":["api-v6.3.0","api-v6.4.0","api-v6.4.1","api-v6.5.0","api-v6.5.1","api-v6.6.0","api-v7.2.0","api-v7.2.1","api-v7.2.2","api-v7.2.3","api-v7.2.4","api-v7.3.0","api-v7.3.1","api-v7.3.2","api-v7.4.0","api-v8.3.0","api-v9.0.1","api-v9.1.0","api-v9.10.0","api-v9.10.1","api-v9.10.2","api-v9.3.0","api-v9.4.0","api-v9.5.0","api-v9.6.0","api-v9.7.0","api-v9.8.0","api-v9.8.1","api-v9.9.0","dmapi-v5.1.1","dmapi-v5.2.0","dmapi-v5.2.1","dmapi-v5.2.3","dmapi-v5.2.4","dmapi-v5.2.5","dmapi-v5.2.6","dmapi-v5.2.7","dmapi-v5.2.8","dmapi-v5.2.9","dmapi-v6.0.0","dmapi-v6.0.1","dmapi-v6.0.2","dmapi-v6.0.3","dmapi-v6.0.5","dmapi-v6.1.0","dmapi-v6.2.0","dmapi-v6.3.0","dmapi-v6.3.1","dmapi-v6.4.0","dmapi-v6.4.1","dmapi-v6.4.2","dmapi-v6.4.3","tgstation-server-migrator-1.0.0","tgstation-server-migrator-1.0.1","tgstation-server-v4.0.0.0","tgstation-server-v4.0.0.1","tgstation-server-v4.0.0.2","tgstation-server-v4.0.0.3","tgstation-server-v4.0.0.4","tgstation-server-v4.0.0.5","tgstation-server-v4.0.0.6","tgstation-server-v4.0.1.0","tgstation-server-v4.0.1.1","tgstation-server-v4.0.1.2","tgstation-server-v4.0.1.3","tgstation-server-v4.0.1.4","tgstation-server-v4.0.2.0","tgstation-server-v4.0.2.1","tgstation-server-v4.1.0","tgstation-server-v4.1.1","tgstation-server-v4.1.2","tgstation-server-v4.1.3","tgstation-server-v4.1.4","tgstation-server-v4.10.0","tgstation-server-v4.10.1","tgstation-server-v4.10.2","tgstation-server-v4.10.3","tgstation-server-v4.10.4","tgstation-server-v4.10.5","tgstation-server-v4.10.6","tgstation-server-v4.11.0","tgstation-server-v4.11.1","tgstation-server-v4.12.0","tgstation-server-v4.12.1","tgstation-server-v4.13.0","tgstation-server-v4.14.0","tgstation-server-v4.14.1","tgstation-server-v4.14.2","tgstation-server-v4.14.3","tgstation-server-v4.15.0","tgstation-server-v4.15.1","tgstation-server-v4.15.2","tgstation-server-v4.15.3","tgstation-server-v4.15.4","tgstation-server-v4.15.5","tgstation-server-v4.15.6","tgstation-server-v4.15.7","tgstation-server-v4.16.0","tgstation-server-v4.16.1","tgstation-server-v4.16.2","tgstation-server-v4.17.0","tgstation-server-v4.17.1","tgstation-server-v4.17.2","tgstation-server-v4.18.0","tgstation-server-v4.19.0","tgstation-server-v4.19.1","tgstation-server-v4.2.0","tgstation-server-v4.2.1","tgstation-server-v4.2.2","tgstation-server-v4.2.3","tgstation-server-v4.2.4","tgstation-server-v4.2.5","tgstation-server-v4.2.6","tgstation-server-v4.2.7","tgstation-server-v4.2.8","tgstation-server-v4.3.0","tgstation-server-v4.3.1","tgstation-server-v4.3.2","tgstation-server-v4.3.3","tgstation-server-v4.3.4","tgstation-server-v4.3.5","tgstation-server-v4.3.6","tgstation-server-v4.4.0","tgstation-server-v4.4.1","tgstation-server-v4.4.2","tgstation-server-v4.4.3","tgstation-server-v4.4.4","tgstation-server-v4.4.5","tgstation-server-v4.5.0","tgstation-server-v4.5.1","tgstation-server-v4.5.2","tgstation-server-v4.5.3","tgstation-server-v4.5.4","tgstation-server-v4.6.0","tgstation-server-v4.6.1","tgstation-server-v4.6.2","tgstation-server-v4.6.3","tgstation-server-v4.7.0","tgstation-server-v4.7.1","tgstation-server-v4.7.2","tgstation-server-v4.7.3","tgstation-server-v4.8.0","tgstation-server-v4.8.1","tgstation-server-v4.8.2","tgstation-server-v4.9.0","tgstation-server-v4.9.1","tgstation-server-v4.9.2","tgstation-server-v4.9.3","tgstation-server-v5.0.0","tgstation-server-v5.0.1","tgstation-server-v5.0.2","tgstation-server-v5.0.3","tgstation-server-v5.1.0","tgstation-server-v5.1.1","tgstation-server-v5.1.2","tgstation-server-v5.1.3","tgstation-server-v5.1.4","tgstation-server-v5.10.0","tgstation-server-v5.11.0","tgstation-server-v5.12.0","tgstation-server-v5.12.1","tgstation-server-v5.2.0","tgstation-server-v5.2.1","tgstation-server-v5.2.2","tgstation-server-v5.2.3","tgstation-server-v5.2.4","tgstation-server-v5.3.0","tgstation-server-v5.3.1","tgstation-server-v5.3.2","tgstation-server-v5.5.0","tgstation-server-v5.6.0","tgstation-server-v5.7.0","tgstation-server-v5.7.1","tgstation-server-v5.7.2","tgstation-server-v5.7.3","tgstation-server-v5.8.0","tgstation-server-v5.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-33198.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N"}]}