We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-52593

Missing validation allows spoofed "origin" links in Misskey



Description

Misskey is an open source, federated social media platform.In affected versions missing validation in `NoteCreateService.insertNote`, `ApPersonService.createPerson`, and `ApPersonService.updatePerson` allows an attacker to control the target of any "origin" links (such as the "view on remote instance" banner). Any HTTPS URL can be set, even if it belongs to a different domain than the note / user. Vulnerable Misskey instances will use the unverified URL for several clickable links, allowing an attacker to conduct phishing or other attacks against remote users. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Reserved 2024-11-14 | Published 2024-12-18 | Updated 2024-12-18 | Assigner GitHub_M


MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-20: Improper Input Validation

Product status

>= 12.29.0, < 2024.11.0-alpha.3
affected

References

github.com/...isskey/security/advisories/GHSA-675w-hf2m-qwmj

cve.org (CVE-2024-52593)

nvd.nist.gov (CVE-2024-52593)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-52593

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.