External apps using tokens issued by administrators and moderators can call admin APIs
CVE-2023-52077

8.9HIGH

Key Information:

Vendor

nexryai

Status
nexkey
Vendor
CVE Published:
27 December 2023

What is CVE-2023-52077?

Nexkey, a lightweight variant of Misskey designed for small to medium-sized servers, is vulnerable due to improper handling of tokens for admin API access. Before version 12.23Q4.5, the application allowed external apps, which were issued tokens by administrators or moderators, to execute admin-level actions. This flaw could lead to unauthorized changes in server configurations and the potential leakage of sensitive credentials, including object storage and email server information. Users are strongly recommended to update to the patched version to mitigate these risks.

Affected Version(s)

nexkey < 12.23Q4.5

References

https://github.com/nexryai/nexkey/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/mei23/misskey-v12/commit/78173e376f14f...
x_refsource_MISC
https://github.com/misskey-dev/misskey/commit/51500532755...
x_refsource_MISC

CVSS V3.1

Score:
8.9
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.