Home > Vulnerability Database > CVE-2024-52593

Mend.io Vulnerability Database

CVE-2024-52593

Date: December 18, 2024

Misskey is an open source, federated social media platform.In affected versions missing validation in "NoteCreateService.insertNote", "ApPersonService.createPerson", and "ApPersonService.updatePerson" allows an attacker to control the target of any "origin" links (such as the "view on remote instance" banner). Any HTTPS URL can be set, even if it belongs to a different domain than the note / user. Vulnerable Misskey instances will use the unverified URL for several clickable links, allowing an attacker to conduct phishing or other attacks against remote users. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: JS

Severity Score

4.3

Related Resources (3)

Url: https://github.com/misskey-dev/misskey/security/advisories/GHSA-675w-hf2m-qwmj

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-52593

Url: https://www.mend.io/vulnerability-database/CVE-2024-52593

Severity Score

4.3

Weakness Type (CWE)

Improper Input Validation

CWE-20

CVSS v3.1

Base Score:	4.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-52593

Date: December 18, 2024

Language: JS

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?