A critical stored Cross-Site Scripting (XSS) vulnerability in Anchorr allows attackers to exfiltrate sensitive credentials, including Discord tokens and API keys, by targeting an administrator's browser.

The web dashboard's User Mapping dropdown fails to sanitize input, allowing any Discord user in a configured guild to inject malicious JavaScript. This script executes in the admin's session to exfiltrate plaintext secrets from the /api/config endpoint without requiring direct authentication to the bot.

The impact is severe, as the vulnerability facilitates the theft of critical secrets like DISCORD_TOKEN, JELLYFIN_API_KEY, and JWT_SECRET. This leads to a total compromise of the bot and all integrated media services, potentially exposing user data and allowing unauthorized access to the underlying media server infrastructure. The CVSS score of 9.6 highlights the extreme risk of credential exfiltration.

Immediate Action: Update the Anchorr bot to version 1.4.2 immediately to patch the XSS vulnerability and secure the configuration endpoint.

Proactive Monitoring: Monitor Discord guild activity for suspicious user mapping requests and review web server logs for unauthorized access to the /api/config endpoint.

Compensating Controls: Deploy a Content Security Policy (CSP) to restrict where scripts can be executed and where data can be exfiltrated, reducing the effectiveness of XSS attacks.

Public Exploit Available: false

Organizations utilizing Anchorr must treat this as a critical priority due to the plaintext exposure of API keys and tokens. Immediate application of version 1.4.2 is required. Following the update, it is strongly recommended to rotate all potentially exposed secrets, including Discord tokens and media server API keys.