Cross site scripting (XSS) vulnerability using url preview in Misskey
CVE-2023-24811

7.1HIGH

Key Information:

Vendor: Misskey-dev
Status: Misskey
Vendor: CVE Published:; 22 February 2023

🔔 Create Misskey-dev Vulnerability Alert

What is CVE-2023-24811?

Misskey, an open-source decentralized social media platform, is vulnerable to a cross-site scripting (XSS) issue in its URL preview functionality. Versions prior to 13.3.2 fail to properly validate URLs, allowing malicious actors to execute arbitrary JavaScript when a harmful URL is accessed through the 'View in Player' or 'View in Window' features. To mitigate this risk, it is crucial for users to upgrade to version 13.3.2 or higher. For those unable to update, it is recommended to refrain from using the compromised preview functions.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

misskey < 13.3.2

References

https://github.com/misskey-dev/misskey/security/advisorie...

x_refsource_CONFIRM

https://github.com/misskey-dev/misskey/commit/38f9d1e7642...

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 22, 2023
Vulnerability Reserved
Jan 30, 2023

JSON

Misskey-dev