Impact
The vulnerability enables any user to create a support ticket with a reason that contains @everyone, @here, user, or role mentions. When the Quest Bot generates the new ticket channel, it posts the attacker‑controlled reason without suppressing mentions, allowing the mentions to resolve and trigger notifications to members who can access the channel.
Affected Systems
Duck‑organization Quest Bot for Discord, any release prior to version 1.0.3. Systems running these versions where the bot has permission to use mentions are affected.
Risk and Exploitability
The CVSS score of 6.3 indicates moderate severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a normal user invoking the ticket command, which does not require additional privileges. The ability to broadcast mass mentions could overwhelm channel members and disrupt normal usage; this possibility is inferred from the uncontrolled notification capability.
OpenCVE Enrichment