Vulnerability DatabaseCVE-2024-52591
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-52591
December 18, 2024
Misskey is an open source, federated social media platform. In affected versions missing validation in "ApRequestService.signedGet" and "HttpRequestService.getActivityJson" allows an attacker to create fake user profiles and forged notes. The spoofed users will appear to be from a different instance than the one where they actually exist, and the forged notes will appear to be posted by a different user. Vulnerable Misskey instances will accept the spoofed objects as valid, allowing an attacker to impersonate other users and instances. The attacker retains full control of the spoofed user / note and can interact like a real account. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Related Resources (1)
https://github.com/misskey-dev/misskey/security/advisories/GHSA-m2gq-69fp-6hv4
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
NONE
Subsequent System Availability
LOW
CVSS v3
Base Score:
9.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
LOW
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Improper Input Validation
CWE-20
EPSS
Base Score:
0.20