Cross site scripting (XSS) vulnerability using authentication callback in Misskey
CVE-2023-24810
7.1HIGH
What is CVE-2023-24810?
Misskey, an open source and decentralized social media platform, has a vulnerability that arises from insufficient validation of redirect URLs during the miauth authentication process. This flaw potentially allows the execution of arbitrary JavaScript when users authenticate with untrusted applications. All versions preceding 13.3.1, including versions in the 12.x branch, are subject to this issue. It is crucial for users to upgrade to version 13.3.1 or later to mitigate this risk. For those unable to upgrade, caution is advised against granting authentication to any unverified applications.
Affected Version(s)
misskey < 13.3.1
