Cross site scripting (XSS) vulnerability using authentication callback in Misskey
CVE-2023-24810

7.1HIGH

Key Information:

Vendor: Misskey-dev
Status: Misskey
Vendor: CVE Published:; 22 February 2023

🔔 Create Misskey-dev Vulnerability Alert

What is CVE-2023-24810?

Misskey, an open source and decentralized social media platform, has a vulnerability that arises from insufficient validation of redirect URLs during the miauth authentication process. This flaw potentially allows the execution of arbitrary JavaScript when users authenticate with untrusted applications. All versions preceding 13.3.1, including versions in the 12.x branch, are subject to this issue. It is crucial for users to upgrade to version 13.3.1 or later to mitigate this risk. For those unable to upgrade, caution is advised against granting authentication to any unverified applications.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

misskey < 13.3.1

References

https://github.com/misskey-dev/misskey/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 22, 2023
Vulnerability Reserved
Jan 30, 2023

JSON

Misskey-dev