Vulnerabilites related to misskey - misskey
CVE-2023-24810 (GCVE-0-2023-24810)
Vulnerability from cvelistv5
Published
2023-02-22 19:15
Modified
2025-03-10 21:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Misskey is an open source, decentralized social media platform. Due to insufficient validation of the redirect URL during `miauth` authentication in Misskey, arbitrary JavaScript can be executed when a user allows the link. All versions below 13.3.1 (including 12.x) are affected. This has been fixed in version 13.3.1. Users are advised to upgrade. Users unable to upgrade should not allow authentication of untrusted apps.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| misskey-dev | misskey |
Version: < 13.3.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:03:19.311Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-cc6r-chgr-8r5m",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-cc6r-chgr-8r5m"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-24810",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:57:02.272827Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:06:41.039Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "misskey",
"vendor": "misskey-dev",
"versions": [
{
"status": "affected",
"version": "\u003c 13.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Misskey is an open source, decentralized social media platform. Due to insufficient validation of the redirect URL during `miauth` authentication in Misskey, arbitrary JavaScript can be executed when a user allows the link. All versions below 13.3.1 (including 12.x) are affected. This has been fixed in version 13.3.1. Users are advised to upgrade. Users unable to upgrade should not allow authentication of untrusted apps."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-22T19:15:34.157Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-cc6r-chgr-8r5m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-cc6r-chgr-8r5m"
}
],
"source": {
"advisory": "GHSA-cc6r-chgr-8r5m",
"discovery": "UNKNOWN"
},
"title": "Cross site scripting (XSS) vulnerability using authentication callback in Misskey"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-24810",
"datePublished": "2023-02-22T19:15:34.157Z",
"dateReserved": "2023-01-30T14:43:33.703Z",
"dateUpdated": "2025-03-10T21:06:41.039Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25154 (GCVE-0-2023-25154)
Vulnerability from cvelistv5
Published
2023-02-22 19:00
Modified
2025-03-10 21:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Misskey is an open source, decentralized social media platform. In versions prior to 13.5.0 the link to the instance to the sender that appears when viewing a user or note received through ActivityPub is not properly validated, so by inserting a URL with a javascript scheme an attacker may execute JavaScript code in the context of the recipient. This issue has been fixed in version 13.5.0. Users are advised to upgrade. Users unable to upgrade should not "view on remote" for untrusted instances.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| misskey-dev | misskey |
Version: < 13.5.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:18:35.819Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-pfp5-r48x-fg25",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-pfp5-r48x-fg25"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25154",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:57:07.540193Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:06:59.311Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "misskey",
"vendor": "misskey-dev",
"versions": [
{
"status": "affected",
"version": "\u003c 13.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Misskey is an open source, decentralized social media platform. In versions prior to 13.5.0 the link to the instance to the sender that appears when viewing a user or note received through ActivityPub is not properly validated, so by inserting a URL with a javascript scheme an attacker may execute JavaScript code in the context of the recipient. This issue has been fixed in version 13.5.0. Users are advised to upgrade. Users unable to upgrade should not \"view on remote\" for untrusted instances."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-22T19:00:25.905Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-pfp5-r48x-fg25",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-pfp5-r48x-fg25"
}
],
"source": {
"advisory": "GHSA-pfp5-r48x-fg25",
"discovery": "UNKNOWN"
},
"title": "Cross site scripting (XSS) of ActivityPub URI in misskey"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-25154",
"datePublished": "2023-02-22T19:00:25.905Z",
"dateReserved": "2023-02-03T16:59:18.242Z",
"dateUpdated": "2025-03-10T21:06:59.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49079 (GCVE-0-2023-49079)
Vulnerability from cvelistv5
Published
2023-11-29 18:56
Modified
2024-08-02 21:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Summary
Misskey is an open source, decentralized social media platform. Misskey's missing signature validation allows arbitrary users to impersonate any remote user. This issue has been patched in version 2023.11.1-beta.1.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| misskey-dev | misskey |
Version: < 2023.11.1-beta.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:46:29.089Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-3f39-6537-3cgc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-3f39-6537-3cgc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "misskey",
"vendor": "misskey-dev",
"versions": [
{
"status": "affected",
"version": "\u003c 2023.11.1-beta.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Misskey is an open source, decentralized social media platform. Misskey\u0027s missing signature validation allows arbitrary users to impersonate any remote user. This issue has been patched in version 2023.11.1-beta.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-29T18:56:17.189Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-3f39-6537-3cgc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-3f39-6537-3cgc"
}
],
"source": {
"advisory": "GHSA-3f39-6537-3cgc",
"discovery": "UNKNOWN"
},
"title": "Misskey\u0027s missing signature validation allows arbitrary users to impersonate any remote user."
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-49079",
"datePublished": "2023-11-29T18:56:17.189Z",
"dateReserved": "2023-11-21T18:57:30.428Z",
"dateUpdated": "2024-08-02T21:46:29.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43793 (GCVE-0-2023-43793)
Vulnerability from cvelistv5
Published
2023-10-04 20:21
Modified
2024-09-20 14:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
Misskey is an open source, decentralized social media platform. Prior to version 2023.9.0, by editing the URL, a user can bypass the authentication of the Bull dashboard, which is the job queue management UI, and access it. Version 2023.9.0 contains a fix. There are no known workarounds.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| misskey-dev | misskey |
Version: < 2023.9.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:52:11.315Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-9fj2-gjcf-cqqc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-9fj2-gjcf-cqqc"
},
{
"name": "https://github.com/nexryai/nexkey/security/advisories/GHSA-g8w5-568f-ffwf",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nexryai/nexkey/security/advisories/GHSA-g8w5-568f-ffwf"
},
{
"name": "https://github.com/misskey-dev/misskey/commit/c9aeccb2ab260ceedc126e6e366da8cd13ece4b2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/misskey-dev/misskey/commit/c9aeccb2ab260ceedc126e6e366da8cd13ece4b2"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "misskey",
"vendor": "misskey",
"versions": [
{
"lessThan": "2023.9.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43793",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-19T18:38:08.553117Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T14:57:07.819Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "misskey",
"vendor": "misskey-dev",
"versions": [
{
"status": "affected",
"version": "\u003c 2023.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Misskey is an open source, decentralized social media platform. Prior to version 2023.9.0, by editing the URL, a user can bypass the authentication of the Bull dashboard, which is the job queue management UI, and access it. Version 2023.9.0 contains a fix. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-04T20:22:32.509Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-9fj2-gjcf-cqqc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-9fj2-gjcf-cqqc"
},
{
"name": "https://github.com/nexryai/nexkey/security/advisories/GHSA-g8w5-568f-ffwf",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nexryai/nexkey/security/advisories/GHSA-g8w5-568f-ffwf"
},
{
"name": "https://github.com/misskey-dev/misskey/commit/c9aeccb2ab260ceedc126e6e366da8cd13ece4b2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/misskey-dev/misskey/commit/c9aeccb2ab260ceedc126e6e366da8cd13ece4b2"
}
],
"source": {
"advisory": "GHSA-9fj2-gjcf-cqqc",
"discovery": "UNKNOWN"
},
"title": "Misskey allows users to bypass authentication of Bull dashboard"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-43793",
"datePublished": "2023-10-04T20:21:29.294Z",
"dateReserved": "2023-09-22T14:51:42.339Z",
"dateUpdated": "2024-09-20T14:57:07.819Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-25636 (GCVE-0-2024-25636)
Vulnerability from cvelistv5
Published
2024-02-19 19:42
Modified
2024-08-15 18:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Summary
Misskey is an open source, decentralized social media platform with ActivityPub support. Prior to version 2024.2.0, when fetching remote Activity Streams objects, Misskey doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate and take over an account on a remote server that satisfies all of the following properties: allows the threat actor to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as legitimate Activity Streams actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Version 2024.2.0 contains a patch for the issue.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| misskey-dev | misskey |
Version: < 2024.2.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:44:09.892Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32"
},
{
"name": "https://github.com/misskey-dev/misskey/commit/9a70ce8f5ea9df00001894809f5ce7bc69b14c8a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/misskey-dev/misskey/commit/9a70ce8f5ea9df00001894809f5ce7bc69b14c8a"
},
{
"name": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/ApResolverService.ts#L69-L119",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/ApResolverService.ts#L69-L119"
},
{
"name": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/models/ApNoteService.ts#L112-L308",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/models/ApNoteService.ts#L112-L308"
},
{
"name": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/server/api/endpoints/ap/show.ts#L125-L143",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/server/api/endpoints/ap/show.ts#L125-L143"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "misskey",
"vendor": "misskey",
"versions": [
{
"lessThan": "2024.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25636",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T15:05:48.681826Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-15T18:36:56.288Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "misskey",
"vendor": "misskey-dev",
"versions": [
{
"status": "affected",
"version": "\u003c 2024.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Misskey is an open source, decentralized social media platform with ActivityPub support. Prior to version 2024.2.0, when fetching remote Activity Streams objects, Misskey doesn\u0027t check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate and take over an account on a remote server that satisfies all of the following properties: allows the threat actor to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as legitimate Activity Streams actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Version 2024.2.0 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-19T19:42:20.688Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32"
},
{
"name": "https://github.com/misskey-dev/misskey/commit/9a70ce8f5ea9df00001894809f5ce7bc69b14c8a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/misskey-dev/misskey/commit/9a70ce8f5ea9df00001894809f5ce7bc69b14c8a"
},
{
"name": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/ApResolverService.ts#L69-L119",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/ApResolverService.ts#L69-L119"
},
{
"name": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/models/ApNoteService.ts#L112-L308",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/models/ApNoteService.ts#L112-L308"
},
{
"name": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/server/api/endpoints/ap/show.ts#L125-L143",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/server/api/endpoints/ap/show.ts#L125-L143"
}
],
"source": {
"advisory": "GHSA-qqrm-9grj-6v32",
"discovery": "UNKNOWN"
},
"title": "Lack of media type verification of Activity Streams objects allows impersonation and takeover of remote accounts"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-25636",
"datePublished": "2024-02-19T19:42:20.688Z",
"dateReserved": "2024-02-08T22:26:33.513Z",
"dateUpdated": "2024-08-15T18:36:56.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-39195 (GCVE-0-2021-39195)
Vulnerability from cvelistv5
Published
2021-09-07 19:00
Modified
2024-08-04 01:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
Misskey is an open source, decentralized microblogging platform. In affected versions a Server-Side Request Forgery vulnerability exists in "Upload from URL" and remote attachment handling. This could result in the disclosure of non-public information within the internal network. This has been fixed in 12.90.0. However, if you are using a proxy, you will need to take additional measures. As a workaround this exploit may be avoided by appropriately restricting access to private networks from the host where the application is running.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| misskey-dev | misskey |
Version: < 12.90.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:58:18.269Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-mqv7-gxh4-r5vf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/misskey-dev/misskey/commit/e1a8b158e04ad567d92d8daf3cc0898ee18f1a2e"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/misskey-dev/misskey/blob/develop/CHANGELOG.md#12900-20210904"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "misskey",
"vendor": "misskey-dev",
"versions": [
{
"status": "affected",
"version": "\u003c 12.90.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Misskey is an open source, decentralized microblogging platform. In affected versions a Server-Side Request Forgery vulnerability exists in \"Upload from URL\" and remote attachment handling. This could result in the disclosure of non-public information within the internal network. This has been fixed in 12.90.0. However, if you are using a proxy, you will need to take additional measures. As a workaround this exploit may be avoided by appropriately restricting access to private networks from the host where the application is running."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-07T19:00:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-mqv7-gxh4-r5vf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/misskey-dev/misskey/commit/e1a8b158e04ad567d92d8daf3cc0898ee18f1a2e"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/misskey-dev/misskey/blob/develop/CHANGELOG.md#12900-20210904"
}
],
"source": {
"advisory": "GHSA-mqv7-gxh4-r5vf",
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery vulnerability in misskey",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-39195",
"STATE": "PUBLIC",
"TITLE": "Server-Side Request Forgery vulnerability in misskey"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "misskey",
"version": {
"version_data": [
{
"version_value": "\u003c 12.90.0"
}
]
}
}
]
},
"vendor_name": "misskey-dev"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Misskey is an open source, decentralized microblogging platform. In affected versions a Server-Side Request Forgery vulnerability exists in \"Upload from URL\" and remote attachment handling. This could result in the disclosure of non-public information within the internal network. This has been fixed in 12.90.0. However, if you are using a proxy, you will need to take additional measures. As a workaround this exploit may be avoided by appropriately restricting access to private networks from the host where the application is running."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918: Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-mqv7-gxh4-r5vf",
"refsource": "CONFIRM",
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-mqv7-gxh4-r5vf"
},
{
"name": "https://github.com/misskey-dev/misskey/commit/e1a8b158e04ad567d92d8daf3cc0898ee18f1a2e",
"refsource": "MISC",
"url": "https://github.com/misskey-dev/misskey/commit/e1a8b158e04ad567d92d8daf3cc0898ee18f1a2e"
},
{
"name": "https://github.com/misskey-dev/misskey/blob/develop/CHANGELOG.md#12900-20210904",
"refsource": "MISC",
"url": "https://github.com/misskey-dev/misskey/blob/develop/CHANGELOG.md#12900-20210904"
}
]
},
"source": {
"advisory": "GHSA-mqv7-gxh4-r5vf",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-39195",
"datePublished": "2021-09-07T19:00:12",
"dateReserved": "2021-08-16T00:00:00",
"dateUpdated": "2024-08-04T01:58:18.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24896 (GCVE-0-2025-24896)
Vulnerability from cvelistv5
Published
2025-02-11 15:14
Modified
2025-02-12 20:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-613 - Insufficient Session Expiration
Summary
Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, a login token named `token` is stored in a cookie for authentication purposes in Bull Dashboard, but this remains undeleted even after logout is performed. The primary affected users will be users who have logged into Misskey using a public PC or someone else's device, but it's possible that users who have logged out of Misskey before lending their PC to someone else could also be affected. Version 2025.2.0-alpha.0 contains a fix for this issue.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| misskey-dev | misskey |
Version: >= 12.109.0, < 2025.2.0-alpha.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24896",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T15:48:20.307733Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:51:44.328Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "misskey",
"vendor": "misskey-dev",
"versions": [
{
"status": "affected",
"version": "\u003e= 12.109.0, \u003c 2025.2.0-alpha.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, a login token named `token` is stored in a cookie for authentication purposes in Bull Dashboard, but this remains undeleted even after logout is performed. The primary affected users will be users who have logged into Misskey using a public PC or someone else\u0027s device, but it\u0027s possible that users who have logged out of Misskey before lending their PC to someone else could also be affected. Version 2025.2.0-alpha.0 contains a fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T15:14:09.305Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-w98m-j6hq-cwjm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-w98m-j6hq-cwjm"
},
{
"name": "https://github.com/misskey-dev/misskey/commit/ba9f295ef2bf31cc90fa587e20b9a7655b7a1824",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/misskey-dev/misskey/commit/ba9f295ef2bf31cc90fa587e20b9a7655b7a1824"
}
],
"source": {
"advisory": "GHSA-w98m-j6hq-cwjm",
"discovery": "UNKNOWN"
},
"title": "Misskey allows token to remain valid in cookie after signing out"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24896",
"datePublished": "2025-02-11T15:14:09.305Z",
"dateReserved": "2025-01-27T15:32:29.451Z",
"dateUpdated": "2025-02-12T20:51:44.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-39169 (GCVE-0-2021-39169)
Vulnerability from cvelistv5
Published
2021-08-27 12:40
Modified
2024-08-04 01:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Misskey is a decentralized microblogging platform. In versions of Misskey prior to 12.51.0, malicious actors can use the web client built-in dialog to display a malicious string, leading to cross-site scripting (XSS). XSS could compromise the API request token. This issue has been fixed in version 12.51.0. There are no known workarounds aside from upgrading.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| misskey-dev | misskey |
Version: < 12.51.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:58:18.216Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-pmmv-jwqh-f5ww"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/misskey-dev/misskey/commit/ec203f7f795766f76b55fecc9248168c1cdf6c99"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "misskey",
"vendor": "misskey-dev",
"versions": [
{
"status": "affected",
"version": "\u003c 12.51.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Misskey is a decentralized microblogging platform. In versions of Misskey prior to 12.51.0, malicious actors can use the web client built-in dialog to display a malicious string, leading to cross-site scripting (XSS). XSS could compromise the API request token. This issue has been fixed in version 12.51.0. There are no known workarounds aside from upgrading."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-27T12:40:09",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-pmmv-jwqh-f5ww"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/misskey-dev/misskey/commit/ec203f7f795766f76b55fecc9248168c1cdf6c99"
}
],
"source": {
"advisory": "GHSA-pmmv-jwqh-f5ww",
"discovery": "UNKNOWN"
},
"title": "XSS vulnerability using dialog",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-39169",
"STATE": "PUBLIC",
"TITLE": "XSS vulnerability using dialog"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "misskey",
"version": {
"version_data": [
{
"version_value": "\u003c 12.51.0"
}
]
}
}
]
},
"vendor_name": "misskey-dev"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Misskey is a decentralized microblogging platform. In versions of Misskey prior to 12.51.0, malicious actors can use the web client built-in dialog to display a malicious string, leading to cross-site scripting (XSS). XSS could compromise the API request token. This issue has been fixed in version 12.51.0. There are no known workarounds aside from upgrading."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-pmmv-jwqh-f5ww",
"refsource": "CONFIRM",
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-pmmv-jwqh-f5ww"
},
{
"name": "https://github.com/misskey-dev/misskey/commit/ec203f7f795766f76b55fecc9248168c1cdf6c99",
"refsource": "MISC",
"url": "https://github.com/misskey-dev/misskey/commit/ec203f7f795766f76b55fecc9248168c1cdf6c99"
}
]
},
"source": {
"advisory": "GHSA-pmmv-jwqh-f5ww",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-39169",
"datePublished": "2021-08-27T12:40:09",
"dateReserved": "2021-08-16T00:00:00",
"dateUpdated": "2024-08-04T01:58:18.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-24811 (GCVE-0-2023-24811)
Vulnerability from cvelistv5
Published
2023-02-22 19:13
Modified
2025-03-10 21:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Misskey is an open source, decentralized social media platform. In versions prior to 13.3.2 the URL preview function is subject to a cross site scripting vulnerability due to insufficient URL validation. Arbitrary JavaScript is executed when a malicious URL is loaded in the `View in Player` or `View in Window` preview. This has been fixed in version 13.3.2. Users are advised to upgrade. Users unable to upgrade should avoid usage of the `View in Player` or `View in Window` functions.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| misskey-dev | misskey |
Version: < 13.3.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:03:19.252Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-vc39-c453-67g3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-vc39-c453-67g3"
},
{
"name": "https://github.com/misskey-dev/misskey/commit/38f9d1e76428bea47c5944c440eab25428c7d99e",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/misskey-dev/misskey/commit/38f9d1e76428bea47c5944c440eab25428c7d99e"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-24811",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:57:04.987712Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:06:46.922Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "misskey",
"vendor": "misskey-dev",
"versions": [
{
"status": "affected",
"version": "\u003c 13.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Misskey is an open source, decentralized social media platform. In versions prior to 13.3.2 the URL preview function is subject to a cross site scripting vulnerability due to insufficient URL validation. Arbitrary JavaScript is executed when a malicious URL is loaded in the `View in Player` or `View in Window` preview. This has been fixed in version 13.3.2. Users are advised to upgrade. Users unable to upgrade should avoid usage of the `View in Player` or `View in Window` functions.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-22T19:13:29.602Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-vc39-c453-67g3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-vc39-c453-67g3"
},
{
"name": "https://github.com/misskey-dev/misskey/commit/38f9d1e76428bea47c5944c440eab25428c7d99e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/misskey-dev/misskey/commit/38f9d1e76428bea47c5944c440eab25428c7d99e"
}
],
"source": {
"advisory": "GHSA-vc39-c453-67g3",
"discovery": "UNKNOWN"
},
"title": "Cross site scripting (XSS) vulnerability using url preview in Misskey"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-24811",
"datePublished": "2023-02-22T19:13:29.602Z",
"dateReserved": "2023-01-30T14:43:33.703Z",
"dateUpdated": "2025-03-10T21:06:46.922Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-24812 (GCVE-0-2023-24812)
Vulnerability from cvelistv5
Published
2023-02-22 19:10
Modified
2025-03-10 21:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Misskey is an open source, decentralized social media platform. In versions prior to 13.3.3 SQL injection is possible due to insufficient parameter validation in the note search API by tag (notes/search-by-tag). This has been fixed in version 13.3.3. Users are advised to upgrade. Users unable to upgrade should block access to the `api/notes/search-by-tag` endpoint.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| misskey-dev | misskey |
Version: < 13.3.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:03:19.257Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-cgwp-vmr4-wx4q",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-cgwp-vmr4-wx4q"
},
{
"name": "https://github.com/misskey-dev/misskey/commit/ee74df68233adcd5b167258c621565f97c3b2306",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/misskey-dev/misskey/commit/ee74df68233adcd5b167258c621565f97c3b2306"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-24812",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:57:40.543234Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:06:52.848Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "misskey",
"vendor": "misskey-dev",
"versions": [
{
"status": "affected",
"version": "\u003c 13.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Misskey is an open source, decentralized social media platform. In versions prior to 13.3.3 SQL injection is possible due to insufficient parameter validation in the note search API by tag (notes/search-by-tag). This has been fixed in version 13.3.3. Users are advised to upgrade. Users unable to upgrade should block access to the `api/notes/search-by-tag` endpoint."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-22T19:10:16.148Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-cgwp-vmr4-wx4q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-cgwp-vmr4-wx4q"
},
{
"name": "https://github.com/misskey-dev/misskey/commit/ee74df68233adcd5b167258c621565f97c3b2306",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/misskey-dev/misskey/commit/ee74df68233adcd5b167258c621565f97c3b2306"
}
],
"source": {
"advisory": "GHSA-cgwp-vmr4-wx4q",
"discovery": "UNKNOWN"
},
"title": "SQL injection of notes/search-by-tag"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-24812",
"datePublished": "2023-02-22T19:10:16.148Z",
"dateReserved": "2023-01-30T14:43:33.704Z",
"dateUpdated": "2025-03-10T21:06:52.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52139 (GCVE-0-2023-52139)
Vulnerability from cvelistv5
Published
2023-12-29 17:21
Modified
2024-08-02 22:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
Misskey is an open source, decentralized social media platform. Third-party applications may be able to access some endpoints or Websocket APIs that are incorrectly specified as [kind](https://github.com/misskey-dev/misskey/blob/406b4bdbe79b5b0b68fcdcb3c4b6e419460a0258/packages/backend/src/server/api/endpoints.ts#L811) or [secure](https://github.com/misskey-dev/misskey/blob/406b4bdbe79b5b0b68fcdcb3c4b6e419460a0258/packages/backend/src/server/api/endpoints.ts#L805) without the user's permission and perform operations such as reading or adding non-public content. As a result, if the user who authenticated the application is an administrator, confidential information such as object storage secret keys and SMTP server passwords will be leaked, and general users can also create invitation codes without permission and leak non-public user information. This is patched in version [2023.12.1](https://github.com/misskey-dev/misskey/commit/c96bc36fedc804dc840ea791a9355d7df0748e64).
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| misskey-dev | misskey |
Version: < 2023.12.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:48:12.569Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-7pxq-6xx9-xpgm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-7pxq-6xx9-xpgm"
},
{
"name": "https://github.com/misskey-dev/misskey/commit/c96bc36fedc804dc840ea791a9355d7df0748e64",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/misskey-dev/misskey/commit/c96bc36fedc804dc840ea791a9355d7df0748e64"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "misskey",
"vendor": "misskey-dev",
"versions": [
{
"status": "affected",
"version": "\u003c 2023.12.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Misskey is an open source, decentralized social media platform. Third-party applications may be able to access some endpoints or Websocket APIs that are incorrectly specified as [kind](https://github.com/misskey-dev/misskey/blob/406b4bdbe79b5b0b68fcdcb3c4b6e419460a0258/packages/backend/src/server/api/endpoints.ts#L811) or [secure](https://github.com/misskey-dev/misskey/blob/406b4bdbe79b5b0b68fcdcb3c4b6e419460a0258/packages/backend/src/server/api/endpoints.ts#L805) without the user\u0027s permission and perform operations such as reading or adding non-public content. As a result, if the user who authenticated the application is an administrator, confidential information such as object storage secret keys and SMTP server passwords will be leaked, and general users can also create invitation codes without permission and leak non-public user information. This is patched in version [2023.12.1](https://github.com/misskey-dev/misskey/commit/c96bc36fedc804dc840ea791a9355d7df0748e64)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-29T17:21:01.898Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-7pxq-6xx9-xpgm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-7pxq-6xx9-xpgm"
},
{
"name": "https://github.com/misskey-dev/misskey/commit/c96bc36fedc804dc840ea791a9355d7df0748e64",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/misskey-dev/misskey/commit/c96bc36fedc804dc840ea791a9355d7df0748e64"
}
],
"source": {
"advisory": "GHSA-7pxq-6xx9-xpgm",
"discovery": "UNKNOWN"
},
"title": "Misskey vulnerable to improper authorization when accessing with third-party application"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-52139",
"datePublished": "2023-12-29T17:21:01.898Z",
"dateReserved": "2023-12-28T14:59:11.165Z",
"dateUpdated": "2024-08-02T22:48:12.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-1020010 (GCVE-0-2019-1020010)
Vulnerability from cvelistv5
Published
2019-07-29 12:12
Modified
2024-08-05 03:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- hijacking a user's token
Summary
Misskey before 10.102.4 allows hijacking a user's token.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:14:15.294Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/syuilo/misskey/security/advisories/GHSA-6qw9-6jxq-xj3p"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Misskey",
"vendor": "Misskey",
"versions": [
{
"status": "affected",
"version": "\u003c 10.102.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Misskey before 10.102.4 allows hijacking a user\u0027s token."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "hijacking a user\u0027s token",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-29T12:12:04",
"orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"shortName": "dwf"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/syuilo/misskey/security/advisories/GHSA-6qw9-6jxq-xj3p"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-assign@distributedweaknessfiling.org",
"ID": "CVE-2019-1020010",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Misskey",
"version": {
"version_data": [
{
"version_value": "\u003c 10.102.4"
}
]
}
}
]
},
"vendor_name": "Misskey"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Misskey before 10.102.4 allows hijacking a user\u0027s token."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "hijacking a user\u0027s token"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/syuilo/misskey/security/advisories/GHSA-6qw9-6jxq-xj3p",
"refsource": "MISC",
"url": "https://github.com/syuilo/misskey/security/advisories/GHSA-6qw9-6jxq-xj3p"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"assignerShortName": "dwf",
"cveId": "CVE-2019-1020010",
"datePublished": "2019-07-29T12:12:04",
"dateReserved": "2019-07-26T00:00:00",
"dateUpdated": "2024-08-05T03:14:15.294Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2021-09-07 19:15
Modified
2024-11-21 06:18
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Misskey is an open source, decentralized microblogging platform. In affected versions a Server-Side Request Forgery vulnerability exists in "Upload from URL" and remote attachment handling. This could result in the disclosure of non-public information within the internal network. This has been fixed in 12.90.0. However, if you are using a proxy, you will need to take additional measures. As a workaround this exploit may be avoided by appropriately restricting access to private networks from the host where the application is running.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/misskey-dev/misskey/blob/develop/CHANGELOG.md#12900-20210904 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/misskey-dev/misskey/commit/e1a8b158e04ad567d92d8daf3cc0898ee18f1a2e | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/misskey-dev/misskey/security/advisories/GHSA-mqv7-gxh4-r5vf | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/misskey-dev/misskey/blob/develop/CHANGELOG.md#12900-20210904 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/misskey-dev/misskey/commit/e1a8b158e04ad567d92d8daf3cc0898ee18f1a2e | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/misskey-dev/misskey/security/advisories/GHSA-mqv7-gxh4-r5vf | Issue Tracking, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0A2733AC-B327-4BA4-92A0-735E36B8ED7B",
"versionEndExcluding": "12.90.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Misskey is an open source, decentralized microblogging platform. In affected versions a Server-Side Request Forgery vulnerability exists in \"Upload from URL\" and remote attachment handling. This could result in the disclosure of non-public information within the internal network. This has been fixed in 12.90.0. However, if you are using a proxy, you will need to take additional measures. As a workaround this exploit may be avoided by appropriately restricting access to private networks from the host where the application is running."
},
{
"lang": "es",
"value": "Misskey es una plataforma de microblogging descentralizada de c\u00f3digo abierto. En las versiones afectadas se presenta una vulnerabilidad de tipo Server-Side Request Forgery en el manejo de \"Upload from URL\" y archivos adjuntos remotos. Esto podr\u00eda resultar en una divulgaci\u00f3n de informaci\u00f3n no p\u00fablica dentro de la red interna. Esto es corregido en versi\u00f3n 12.90.0. Sin embargo, si esta usando un proxy, necesitar\u00e1 tomar medidas adicionales. Como soluci\u00f3n alternativa, este problema puede ser evitado restringiendo apropiadamente el acceso a las redes privadas desde el host donde se ejecuta la aplicaci\u00f3n"
}
],
"id": "CVE-2021-39195",
"lastModified": "2024-11-21T06:18:51.590",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-07T19:15:08.600",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/misskey-dev/misskey/blob/develop/CHANGELOG.md#12900-20210904"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/misskey-dev/misskey/commit/e1a8b158e04ad567d92d8daf3cc0898ee18f1a2e"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-mqv7-gxh4-r5vf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/misskey-dev/misskey/blob/develop/CHANGELOG.md#12900-20210904"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/misskey-dev/misskey/commit/e1a8b158e04ad567d92d8daf3cc0898ee18f1a2e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-mqv7-gxh4-r5vf"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-02-22 19:15
Modified
2024-11-21 07:49
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Misskey is an open source, decentralized social media platform. In versions prior to 13.5.0 the link to the instance to the sender that appears when viewing a user or note received through ActivityPub is not properly validated, so by inserting a URL with a javascript scheme an attacker may execute JavaScript code in the context of the recipient. This issue has been fixed in version 13.5.0. Users are advised to upgrade. Users unable to upgrade should not "view on remote" for untrusted instances.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FFC6D0B2-D52A-49DC-AFD1-7E49379F3013",
"versionEndExcluding": "13.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Misskey is an open source, decentralized social media platform. In versions prior to 13.5.0 the link to the instance to the sender that appears when viewing a user or note received through ActivityPub is not properly validated, so by inserting a URL with a javascript scheme an attacker may execute JavaScript code in the context of the recipient. This issue has been fixed in version 13.5.0. Users are advised to upgrade. Users unable to upgrade should not \"view on remote\" for untrusted instances."
}
],
"id": "CVE-2023-25154",
"lastModified": "2024-11-21T07:49:12.763",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-02-22T19:15:11.610",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-pfp5-r48x-fg25"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-pfp5-r48x-fg25"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-19 20:15
Modified
2025-02-05 22:36
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Misskey is an open source, decentralized social media platform with ActivityPub support. Prior to version 2024.2.0, when fetching remote Activity Streams objects, Misskey doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate and take over an account on a remote server that satisfies all of the following properties: allows the threat actor to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as legitimate Activity Streams actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Version 2024.2.0 contains a patch for the issue.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/ApResolverService.ts#L69-L119 | Product | |
| security-advisories@github.com | https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/models/ApNoteService.ts#L112-L308 | Product | |
| security-advisories@github.com | https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/server/api/endpoints/ap/show.ts#L125-L143 | Product | |
| security-advisories@github.com | https://github.com/misskey-dev/misskey/commit/9a70ce8f5ea9df00001894809f5ce7bc69b14c8a | Patch | |
| security-advisories@github.com | https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/ApResolverService.ts#L69-L119 | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/models/ApNoteService.ts#L112-L308 | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/server/api/endpoints/ap/show.ts#L125-L143 | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/misskey-dev/misskey/commit/9a70ce8f5ea9df00001894809f5ce7bc69b14c8a | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*",
"matchCriteriaId": "88A71974-F179-4C37-91EB-4F233EA958DA",
"versionEndExcluding": "2024.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Misskey is an open source, decentralized social media platform with ActivityPub support. Prior to version 2024.2.0, when fetching remote Activity Streams objects, Misskey doesn\u0027t check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate and take over an account on a remote server that satisfies all of the following properties: allows the threat actor to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as legitimate Activity Streams actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Version 2024.2.0 contains a patch for the issue."
},
{
"lang": "es",
"value": "Misskey es una plataforma de redes sociales descentralizada y de c\u00f3digo abierto con soporte ActivityPub. Antes de la versi\u00f3n 2024.2.0, al recuperar objetos remotos de Activity Streams, Misskey no verifica que la respuesta del servidor remoto tenga un valor de encabezado `Content-Type` del tipo de medio Activity Streams, lo que permite a un actor de amenazas cargar un documento de Activity Streams elaborado a un servidor remoto y hacer que una instancia de Misskey lo recupere, si el servidor remoto acepta cargas arbitrarias de usuarios. La vulnerabilidad permite que un actor de amenazas se haga pasar por una cuenta y se haga cargo de ella en un servidor remoto que cumple con todas las siguientes propiedades: permite al actor de amenazas registrar una cuenta; acepta documentos arbitrarios subidos por usuarios y los coloca en el mismo dominio que los actores leg\u00edtimos de Activity Streams; y proporciona documentos subidos por el usuario en respuesta a solicitudes con un valor de encabezado \"Aceptar\" del tipo de medio Activity Streams. La versi\u00f3n 2024.2.0 contiene un parche para el problema."
}
],
"id": "CVE-2024-25636",
"lastModified": "2025-02-05T22:36:30.963",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-19T20:15:46.077",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/ApResolverService.ts#L69-L119"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/models/ApNoteService.ts#L112-L308"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/server/api/endpoints/ap/show.ts#L125-L143"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/misskey-dev/misskey/commit/9a70ce8f5ea9df00001894809f5ce7bc69b14c8a"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/ApResolverService.ts#L69-L119"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/models/ApNoteService.ts#L112-L308"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/server/api/endpoints/ap/show.ts#L125-L143"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/misskey-dev/misskey/commit/9a70ce8f5ea9df00001894809f5ce7bc69b14c8a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-02-22 20:15
Modified
2024-11-21 07:48
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Misskey is an open source, decentralized social media platform. In versions prior to 13.3.3 SQL injection is possible due to insufficient parameter validation in the note search API by tag (notes/search-by-tag). This has been fixed in version 13.3.3. Users are advised to upgrade. Users unable to upgrade should block access to the `api/notes/search-by-tag` endpoint.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/misskey-dev/misskey/commit/ee74df68233adcd5b167258c621565f97c3b2306 | Patch | |
| security-advisories@github.com | https://github.com/misskey-dev/misskey/security/advisories/GHSA-cgwp-vmr4-wx4q | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/misskey-dev/misskey/commit/ee74df68233adcd5b167258c621565f97c3b2306 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/misskey-dev/misskey/security/advisories/GHSA-cgwp-vmr4-wx4q | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C283C863-C990-470A-9815-AC6A14462687",
"versionEndExcluding": "13.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Misskey is an open source, decentralized social media platform. In versions prior to 13.3.3 SQL injection is possible due to insufficient parameter validation in the note search API by tag (notes/search-by-tag). This has been fixed in version 13.3.3. Users are advised to upgrade. Users unable to upgrade should block access to the `api/notes/search-by-tag` endpoint."
}
],
"id": "CVE-2023-24812",
"lastModified": "2024-11-21T07:48:26.657",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-02-22T20:15:12.777",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/misskey-dev/misskey/commit/ee74df68233adcd5b167258c621565f97c3b2306"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-cgwp-vmr4-wx4q"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/misskey-dev/misskey/commit/ee74df68233adcd5b167258c621565f97c3b2306"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-cgwp-vmr4-wx4q"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-02-22 20:15
Modified
2024-11-21 07:48
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Misskey is an open source, decentralized social media platform. In versions prior to 13.3.2 the URL preview function is subject to a cross site scripting vulnerability due to insufficient URL validation. Arbitrary JavaScript is executed when a malicious URL is loaded in the `View in Player` or `View in Window` preview. This has been fixed in version 13.3.2. Users are advised to upgrade. Users unable to upgrade should avoid usage of the `View in Player` or `View in Window` functions.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/misskey-dev/misskey/commit/38f9d1e76428bea47c5944c440eab25428c7d99e | Patch | |
| security-advisories@github.com | https://github.com/misskey-dev/misskey/security/advisories/GHSA-vc39-c453-67g3 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/misskey-dev/misskey/commit/38f9d1e76428bea47c5944c440eab25428c7d99e | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/misskey-dev/misskey/security/advisories/GHSA-vc39-c453-67g3 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E4B92EAB-F584-4A4F-9F1F-3C5AF8C44008",
"versionEndExcluding": "13.3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Misskey is an open source, decentralized social media platform. In versions prior to 13.3.2 the URL preview function is subject to a cross site scripting vulnerability due to insufficient URL validation. Arbitrary JavaScript is executed when a malicious URL is loaded in the `View in Player` or `View in Window` preview. This has been fixed in version 13.3.2. Users are advised to upgrade. Users unable to upgrade should avoid usage of the `View in Player` or `View in Window` functions.\n"
}
],
"id": "CVE-2023-24811",
"lastModified": "2024-11-21T07:48:26.543",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-02-22T20:15:12.700",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/misskey-dev/misskey/commit/38f9d1e76428bea47c5944c440eab25428c7d99e"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-vc39-c453-67g3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/misskey-dev/misskey/commit/38f9d1e76428bea47c5944c440eab25428c7d99e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-vc39-c453-67g3"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-02-11 16:15
Modified
2025-02-20 15:48
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Summary
Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, a login token named `token` is stored in a cookie for authentication purposes in Bull Dashboard, but this remains undeleted even after logout is performed. The primary affected users will be users who have logged into Misskey using a public PC or someone else's device, but it's possible that users who have logged out of Misskey before lending their PC to someone else could also be affected. Version 2025.2.0-alpha.0 contains a fix for this issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1CD22A7E-7810-47A9-8B23-6783D9863694",
"versionEndIncluding": "2025.1.0",
"versionStartIncluding": "12.109.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, a login token named `token` is stored in a cookie for authentication purposes in Bull Dashboard, but this remains undeleted even after logout is performed. The primary affected users will be users who have logged into Misskey using a public PC or someone else\u0027s device, but it\u0027s possible that users who have logged out of Misskey before lending their PC to someone else could also be affected. Version 2025.2.0-alpha.0 contains a fix for this issue."
},
{
"lang": "es",
"value": "Misskey es una plataforma de redes sociales federada de c\u00f3digo abierto. A partir de la versi\u00f3n 12.109.0 y antes de la versi\u00f3n 2025.2.0-alpha.0, se almacena un token de inicio de sesi\u00f3n llamado `token` en una cookie con fines de autenticaci\u00f3n en Bull Dashboard, pero este permanece sin eliminarse incluso despu\u00e9s de cerrar la sesi\u00f3n. Los principales usuarios afectados ser\u00e1n aquellos que hayan iniciado sesi\u00f3n en Misskey utilizando una PC p\u00fablica o el dispositivo de otra persona, pero es posible que los usuarios que hayan cerrado sesi\u00f3n en Misskey antes de prestar su PC a otra persona tambi\u00e9n se vean afectados. La versi\u00f3n 2025.2.0-alpha.0 contiene una soluci\u00f3n para este problema."
}
],
"id": "CVE-2025-24896",
"lastModified": "2025-02-20T15:48:37.877",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-02-11T16:15:51.477",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/misskey-dev/misskey/commit/ba9f295ef2bf31cc90fa587e20b9a7655b7a1824"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-w98m-j6hq-cwjm"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-613"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-02-22 20:15
Modified
2024-11-21 07:48
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Misskey is an open source, decentralized social media platform. Due to insufficient validation of the redirect URL during `miauth` authentication in Misskey, arbitrary JavaScript can be executed when a user allows the link. All versions below 13.3.1 (including 12.x) are affected. This has been fixed in version 13.3.1. Users are advised to upgrade. Users unable to upgrade should not allow authentication of untrusted apps.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*",
"matchCriteriaId": "981BA492-22E1-491A-945F-7106858A5249",
"versionEndExcluding": "13.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Misskey is an open source, decentralized social media platform. Due to insufficient validation of the redirect URL during `miauth` authentication in Misskey, arbitrary JavaScript can be executed when a user allows the link. All versions below 13.3.1 (including 12.x) are affected. This has been fixed in version 13.3.1. Users are advised to upgrade. Users unable to upgrade should not allow authentication of untrusted apps."
}
],
"id": "CVE-2023-24810",
"lastModified": "2024-11-21T07:48:26.433",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-02-22T20:15:12.630",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-cc6r-chgr-8r5m"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-cc6r-chgr-8r5m"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-29 19:15
Modified
2024-11-21 08:32
Severity ?
9.3 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
Misskey is an open source, decentralized social media platform. Misskey's missing signature validation allows arbitrary users to impersonate any remote user. This issue has been patched in version 2023.11.1-beta.1.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/misskey-dev/misskey/security/advisories/GHSA-3f39-6537-3cgc | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/misskey-dev/misskey/security/advisories/GHSA-3f39-6537-3cgc | Mitigation, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8D48B2F6-D125-4D8F-85CC-65D219F85763",
"versionEndExcluding": "2023.11.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Misskey is an open source, decentralized social media platform. Misskey\u0027s missing signature validation allows arbitrary users to impersonate any remote user. This issue has been patched in version 2023.11.1-beta.1."
},
{
"lang": "es",
"value": "Misskey es una plataforma de redes sociales descentralizada y de c\u00f3digo abierto. La validaci\u00f3n de firma faltante de Misskey permite a usuarios arbitrarios hacerse pasar por cualquier usuario remoto. Este problema se solucion\u00f3 en la versi\u00f3n 2023.11.1-beta.1."
}
],
"id": "CVE-2023-49079",
"lastModified": "2024-11-21T08:32:46.610",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-29T19:15:07.713",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-3f39-6537-3cgc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-3f39-6537-3cgc"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-347"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-12-29 18:15
Modified
2024-11-21 08:39
Severity ?
9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Summary
Misskey is an open source, decentralized social media platform. Third-party applications may be able to access some endpoints or Websocket APIs that are incorrectly specified as [kind](https://github.com/misskey-dev/misskey/blob/406b4bdbe79b5b0b68fcdcb3c4b6e419460a0258/packages/backend/src/server/api/endpoints.ts#L811) or [secure](https://github.com/misskey-dev/misskey/blob/406b4bdbe79b5b0b68fcdcb3c4b6e419460a0258/packages/backend/src/server/api/endpoints.ts#L805) without the user's permission and perform operations such as reading or adding non-public content. As a result, if the user who authenticated the application is an administrator, confidential information such as object storage secret keys and SMTP server passwords will be leaked, and general users can also create invitation codes without permission and leak non-public user information. This is patched in version [2023.12.1](https://github.com/misskey-dev/misskey/commit/c96bc36fedc804dc840ea791a9355d7df0748e64).
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/misskey-dev/misskey/commit/c96bc36fedc804dc840ea791a9355d7df0748e64 | Patch | |
| security-advisories@github.com | https://github.com/misskey-dev/misskey/security/advisories/GHSA-7pxq-6xx9-xpgm | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/misskey-dev/misskey/commit/c96bc36fedc804dc840ea791a9355d7df0748e64 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/misskey-dev/misskey/security/advisories/GHSA-7pxq-6xx9-xpgm | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*",
"matchCriteriaId": "734BD3CF-AAAF-430C-B820-D6E86655FD82",
"versionEndExcluding": "2023.12.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Misskey is an open source, decentralized social media platform. Third-party applications may be able to access some endpoints or Websocket APIs that are incorrectly specified as [kind](https://github.com/misskey-dev/misskey/blob/406b4bdbe79b5b0b68fcdcb3c4b6e419460a0258/packages/backend/src/server/api/endpoints.ts#L811) or [secure](https://github.com/misskey-dev/misskey/blob/406b4bdbe79b5b0b68fcdcb3c4b6e419460a0258/packages/backend/src/server/api/endpoints.ts#L805) without the user\u0027s permission and perform operations such as reading or adding non-public content. As a result, if the user who authenticated the application is an administrator, confidential information such as object storage secret keys and SMTP server passwords will be leaked, and general users can also create invitation codes without permission and leak non-public user information. This is patched in version [2023.12.1](https://github.com/misskey-dev/misskey/commit/c96bc36fedc804dc840ea791a9355d7df0748e64)."
},
{
"lang": "es",
"value": "Misskey es una plataforma de redes sociales descentralizada y de c\u00f3digo abierto. Es posible que las aplicaciones de terceros puedan acceder a algunos endpoints o API de Websocket que est\u00e1n especificados incorrectamente como [kind] (https://github.com/misskey-dev/misskey/blob/406b4bdbe79b5b0b68fcdcb3c4b6e419460a0258/packages/backend/src/server/api/endpoints.ts#L811) o [secure](https://github.com/misskey-dev/misskey/blob/406b4bdbe79b5b0b68fcdcb3c4b6e419460a0258/packages/backend/src/server/api/endpoints.ts#L805) sin el permiso del usuario y realizar operaciones como leer o agregar contenido no p\u00fablico. Como resultado, si el usuario que autentic\u00f3 la aplicaci\u00f3n es un administrador, se filtrar\u00e1 informaci\u00f3n confidencial como claves secretas de almacenamiento de objetos y contrase\u00f1as del servidor SMTP, y los usuarios generales tambi\u00e9n pueden crear c\u00f3digos de invitaci\u00f3n sin permiso y filtrar informaci\u00f3n de usuario no p\u00fablica. Esto est\u00e1 parcheado en la versi\u00f3n [2023.12.1] (https://github.com/misskey-dev/misskey/commit/c96bc36fedc804dc840ea791a9355d7df0748e64)."
}
],
"id": "CVE-2023-52139",
"lastModified": "2024-11-21T08:39:15.833",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 5.8,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-29T18:15:39.227",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/misskey-dev/misskey/commit/c96bc36fedc804dc840ea791a9355d7df0748e64"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-7pxq-6xx9-xpgm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/misskey-dev/misskey/commit/c96bc36fedc804dc840ea791a9355d7df0748e64"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-7pxq-6xx9-xpgm"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-27 13:15
Modified
2024-11-21 06:18
Severity ?
8.0 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Misskey is a decentralized microblogging platform. In versions of Misskey prior to 12.51.0, malicious actors can use the web client built-in dialog to display a malicious string, leading to cross-site scripting (XSS). XSS could compromise the API request token. This issue has been fixed in version 12.51.0. There are no known workarounds aside from upgrading.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/misskey-dev/misskey/commit/ec203f7f795766f76b55fecc9248168c1cdf6c99 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/misskey-dev/misskey/security/advisories/GHSA-pmmv-jwqh-f5ww | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/misskey-dev/misskey/commit/ec203f7f795766f76b55fecc9248168c1cdf6c99 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/misskey-dev/misskey/security/advisories/GHSA-pmmv-jwqh-f5ww | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8E6D51FB-70AB-4EF8-B173-168D76D8338A",
"versionEndExcluding": "12.51.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Misskey is a decentralized microblogging platform. In versions of Misskey prior to 12.51.0, malicious actors can use the web client built-in dialog to display a malicious string, leading to cross-site scripting (XSS). XSS could compromise the API request token. This issue has been fixed in version 12.51.0. There are no known workarounds aside from upgrading."
},
{
"lang": "es",
"value": "Misskey es una platamanera de microblogging descentralizada. En las versiones de Misskey anteriores a 12.51.0, unos actores maliciosos pueden usar el di\u00e1logo incorporado en el cliente web para mostrar una cadena maliciosa, conllevando a un ataque de tipo cross-site scripting (XSS). El ataque de tipo XSS podr\u00eda comprometer el token de petici\u00f3n de la API. Este problema ha sido corregido en la versi\u00f3n 12.51.0. No se conocen soluciones aparte de la actualizaci\u00f3n."
}
],
"id": "CVE-2021-39169",
"lastModified": "2024-11-21T06:18:46.753",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-27T13:15:07.020",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/misskey-dev/misskey/commit/ec203f7f795766f76b55fecc9248168c1cdf6c99"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-pmmv-jwqh-f5ww"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/misskey-dev/misskey/commit/ec203f7f795766f76b55fecc9248168c1cdf6c99"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-pmmv-jwqh-f5ww"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-07-29 13:15
Modified
2024-11-21 04:18
Severity ?
Summary
Misskey before 10.102.4 allows hijacking a user's token.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| josh@bress.net | https://github.com/syuilo/misskey/security/advisories/GHSA-6qw9-6jxq-xj3p | Exploit, Mitigation, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/syuilo/misskey/security/advisories/GHSA-6qw9-6jxq-xj3p | Exploit, Mitigation, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| misskey | misskey | * | |
| misskey | misskey | * | |
| misskey | misskey | 11.0.0 | |
| misskey | misskey | 11.0.0 | |
| misskey | misskey | 11.0.0 | |
| misskey | misskey | 11.0.0 | |
| misskey | misskey | 11.0.0 | |
| misskey | misskey | 11.0.0 | |
| misskey | misskey | 11.0.0 | |
| misskey | misskey | 11.0.0 | |
| misskey | misskey | 11.0.0 | |
| misskey | misskey | 11.0.0 | |
| misskey | misskey | 11.0.0 | |
| misskey | misskey | 11.0.0 | |
| misskey | misskey | 11.0.0 | |
| misskey | misskey | 11.0.0 | |
| misskey | misskey | 11.0.0 | |
| misskey | misskey | 11.0.0 | |
| misskey | misskey | 11.0.0 | |
| misskey | misskey | 11.0.0 | |
| misskey | misskey | 11.0.0 | |
| misskey | misskey | 11.0.0 | |
| misskey | misskey | 11.0.0 | |
| misskey | misskey | 11.0.0 | |
| misskey | misskey | 11.0.0 | |
| misskey | misskey | 11.0.0 | |
| misskey | misskey | 11.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*",
"matchCriteriaId": "05F0B34A-BB65-408C-8053-48DDC3D1C3FF",
"versionEndExcluding": "10.102.4",
"versionStartIncluding": "10.46.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AC50D734-FB0A-47EF-8BB1-0E353FC22D4D",
"versionEndExcluding": "11.20.2",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:misskey:misskey:11.0.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "E964986E-D270-4B93-B275-C6392F007B84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:misskey:misskey:11.0.0:alpha10:*:*:*:*:*:*",
"matchCriteriaId": "37073996-D41A-4749-B70A-3B998B9853BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:misskey:misskey:11.0.0:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "025F97A7-2145-45C9-AFDC-53441526EEA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:misskey:misskey:11.0.0:alpha3:*:*:*:*:*:*",
"matchCriteriaId": "E5326C03-A022-4C55-9862-C43EE7B23451",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:misskey:misskey:11.0.0:alpha4:*:*:*:*:*:*",
"matchCriteriaId": "9CE8D977-0BC7-434B-8581-0D3BEB2A7ABA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:misskey:misskey:11.0.0:alpha5:*:*:*:*:*:*",
"matchCriteriaId": "E479DF22-5D06-45AD-A51B-CFF26E100860",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:misskey:misskey:11.0.0:alpha6:*:*:*:*:*:*",
"matchCriteriaId": "BCE52C36-182E-47B9-BA0A-7A29DB1E43A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:misskey:misskey:11.0.0:alpha7:*:*:*:*:*:*",
"matchCriteriaId": "56D8F658-5E7F-403C-BDAD-526E0DB24D82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:misskey:misskey:11.0.0:alpha8:*:*:*:*:*:*",
"matchCriteriaId": "89A6933D-402D-4AD0-8BED-7EC8A135AAFA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:misskey:misskey:11.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F9249CEF-1388-4BF2-B04B-C450D5B216F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:misskey:misskey:11.0.0:beta10:*:*:*:*:*:*",
"matchCriteriaId": "CAD8DBB6-0977-471C-8C09-610AA4AFB271",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:misskey:misskey:11.0.0:beta11:*:*:*:*:*:*",
"matchCriteriaId": "F22BA296-6C19-435C-9303-DD960CA5ACD9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:misskey:misskey:11.0.0:beta12:*:*:*:*:*:*",
"matchCriteriaId": "CEC5809D-6C0C-4C6C-8555-955BB7390BB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:misskey:misskey:11.0.0:beta13:*:*:*:*:*:*",
"matchCriteriaId": "7860133F-D265-477F-B3B4-7B88ABABBDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:misskey:misskey:11.0.0:beta14:*:*:*:*:*:*",
"matchCriteriaId": "F4F50B3F-A99E-49F7-9959-D11CBE875EC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:misskey:misskey:11.0.0:beta15:*:*:*:*:*:*",
"matchCriteriaId": "4274117D-10A8-4D91-83CA-4912E3B4734E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:misskey:misskey:11.0.0:beta16:*:*:*:*:*:*",
"matchCriteriaId": "3B76A5E9-5B23-4902-93EE-32E8D6D6AE45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:misskey:misskey:11.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "6860F62C-3498-4876-8906-570CDE9E05F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:misskey:misskey:11.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "75A0DAD9-8F53-4692-B4E9-B21A7A26BEB3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:misskey:misskey:11.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "7887424B-E9F7-4313-8E40-D408C13FC329",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:misskey:misskey:11.0.0:beta5:*:*:*:*:*:*",
"matchCriteriaId": "EE8A70A6-5D45-47BB-80B5-F3B19E493601",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:misskey:misskey:11.0.0:beta6:*:*:*:*:*:*",
"matchCriteriaId": "E1F4D4AF-5E5D-4E89-B1A6-3CA993EB5666",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:misskey:misskey:11.0.0:beta7:*:*:*:*:*:*",
"matchCriteriaId": "9C3503EC-223C-473C-AF5C-2EF3496C2003",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:misskey:misskey:11.0.0:beta8:*:*:*:*:*:*",
"matchCriteriaId": "E3998793-764F-4BCF-A978-D45A2A111668",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:misskey:misskey:11.0.0:beta9:*:*:*:*:*:*",
"matchCriteriaId": "DBEBD39D-DB2D-49C5-8D80-531316C33F63",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Misskey before 10.102.4 allows hijacking a user\u0027s token."
},
{
"lang": "es",
"value": "Misskey anterior a versi\u00f3n 10.102.4, permite el secuestro de un token de usuario."
}
],
"id": "CVE-2019-1020010",
"lastModified": "2024-11-21T04:18:11.187",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-07-29T13:15:11.683",
"references": [
{
"source": "josh@bress.net",
"tags": [
"Exploit",
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/syuilo/misskey/security/advisories/GHSA-6qw9-6jxq-xj3p"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/syuilo/misskey/security/advisories/GHSA-6qw9-6jxq-xj3p"
}
],
"sourceIdentifier": "josh@bress.net",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-04 21:15
Modified
2024-11-21 08:24
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Misskey is an open source, decentralized social media platform. Prior to version 2023.9.0, by editing the URL, a user can bypass the authentication of the Bull dashboard, which is the job queue management UI, and access it. Version 2023.9.0 contains a fix. There are no known workarounds.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/misskey-dev/misskey/commit/c9aeccb2ab260ceedc126e6e366da8cd13ece4b2 | Patch | |
| security-advisories@github.com | https://github.com/misskey-dev/misskey/security/advisories/GHSA-9fj2-gjcf-cqqc | Vendor Advisory | |
| security-advisories@github.com | https://github.com/nexryai/nexkey/security/advisories/GHSA-g8w5-568f-ffwf | Not Applicable | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/misskey-dev/misskey/commit/c9aeccb2ab260ceedc126e6e366da8cd13ece4b2 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/misskey-dev/misskey/security/advisories/GHSA-9fj2-gjcf-cqqc | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nexryai/nexkey/security/advisories/GHSA-g8w5-568f-ffwf | Not Applicable |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*",
"matchCriteriaId": "76183927-4600-43CA-A33B-D329E57A3A03",
"versionEndExcluding": "2023.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Misskey is an open source, decentralized social media platform. Prior to version 2023.9.0, by editing the URL, a user can bypass the authentication of the Bull dashboard, which is the job queue management UI, and access it. Version 2023.9.0 contains a fix. There are no known workarounds."
},
{
"lang": "es",
"value": "Misskey es una plataforma de redes sociales descentralizada y de c\u00f3digo abierto. Antes de la versi\u00f3n 2023.9.0, al editar la URL, un usuario pod\u00eda omitir la autenticaci\u00f3n del panel Bull, que es la interfaz de usuario de administraci\u00f3n de la cola de trabajos, y acceder a \u00e9l. La versi\u00f3n 2023.9.0 contiene una soluci\u00f3n. No se conocen workarounds."
}
],
"id": "CVE-2023-43793",
"lastModified": "2024-11-21T08:24:47.737",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-04T21:15:10.040",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/misskey-dev/misskey/commit/c9aeccb2ab260ceedc126e6e366da8cd13ece4b2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-9fj2-gjcf-cqqc"
},
{
"source": "security-advisories@github.com",
"tags": [
"Not Applicable"
],
"url": "https://github.com/nexryai/nexkey/security/advisories/GHSA-g8w5-568f-ffwf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/misskey-dev/misskey/commit/c9aeccb2ab260ceedc126e6e366da8cd13ece4b2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-9fj2-gjcf-cqqc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "https://github.com/nexryai/nexkey/security/advisories/GHSA-g8w5-568f-ffwf"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}