Cross site scripting (XSS) of ActivityPub URI in misskey

CVE-2023-25154

What is CVE-2023-25154?

The Misskey platform, an open-source decentralized social media system, is susceptible to a security vulnerability that enables attackers to inject malicious JavaScript code. This occurs due to improper validation of URLs linked to user instances when viewing notes received via the ActivityPub protocol. If a user encounters a crafted URL utilizing a JavaScript scheme, it may enable the execution of malicious scripts within the recipient's browser environment. This vulnerability impacts versions preceding 13.5.0, and users are strongly encouraged to upgrade to the latest version. For those unable to perform the upgrade, it is advised to refrain from viewing remote instances that are not trusted.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References