Update 2024-07-03-zncpsa.md

Clarify the precise nature and consequences of the vulnerability. This is code injection, not command injection, and shell account compromise is directly possible due to the vuln without requiring additional chained exploits.
Libera-Chat · Jul 3, 2024 · caa4d88 · caa4d88
1 parent 7ba30e6
commit caa4d88
Showing 1 changed file with 4 additions and 5 deletions.
diff --git a/content/_posts/2024-07-03-zncpsa.md b/content/_posts/2024-07-03-zncpsa.md
@@ -13,11 +13,10 @@ modtcl. Please unload this module until it can be upgraded to a patched
 version. You can unload this module by running `/quote ZNC unloadmod modtcl`.
 
 Modtcl in ZNC versions prior to 1.9.1 contains an injection vulnerability
-([CVE-2024-39844]) that allows channel operators to run arbitrary ZNC
-commands as a ZNC user in their channel. This exploit can be used to
-compromise NickServ accounts or channels. Attacks may also leverage other
-modules or vulnerabilities to cause compromise of the system user account
-that is running ZNC.
+([CVE-2024-39844]) that allows channel operators to run arbitrary TCL code
+on ZNC instances present in their channel. This exploit can be used to
+compromise NickServ accounts, channels, or the system user account that is
+running ZNC.
 
 Luckily, modtcl is not loaded by default. To check if you have modtcl loaded,
 run `/quote ZNC listmods` to see the list of loaded modules. If you have