Cross site scripting (XSS) of ActivityPub URI in misskey
CVE-2023-25154
7.1HIGH
What is CVE-2023-25154?
The Misskey platform, an open-source decentralized social media system, is susceptible to a security vulnerability that enables attackers to inject malicious JavaScript code. This occurs due to improper validation of URLs linked to user instances when viewing notes received via the ActivityPub protocol. If a user encounters a crafted URL utilizing a JavaScript scheme, it may enable the execution of malicious scripts within the recipient's browser environment. This vulnerability impacts versions preceding 13.5.0, and users are strongly encouraged to upgrade to the latest version. For those unable to perform the upgrade, it is advised to refrain from viewing remote instances that are not trusted.
Affected Version(s)
misskey < 13.5.0
