CVE-2023-24811
CVSS V2 None
CVSS V3 None
Description
Misskey is an open source, decentralized social media platform. In versions prior to 13.3.2 the URL preview function is subject to a cross site scripting vulnerability due to insufficient URL validation. Arbitrary JavaScript is executed when a malicious URL is loaded in the `View in Player` or `View in Window` preview. This has been fixed in version 13.3.2. Users are advised to upgrade. Users unable to upgrade should avoid usage of the `View in Player` or `View in Window` functions.
Overview
- CVE ID
- CVE-2023-24811
- Assigner
- security-advisories@github.com
- Vulnerability Status
- Analyzed
- Published Version
- 2023-02-22T20:15:12
- Last Modified Date
- 2023-03-03T04:43:29
Weakness Enumerations
CPE Configuration (Product)
CPE | Vulnerable | Operator | Version Start | Version End |
---|---|---|---|---|
cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:* | 1 | OR | 13.3.2 |
References
Reference URL | Reference Tags |
---|---|
https://github.com/misskey-dev/misskey/commit/38f9d1e76428bea47c5944c440eab25428c7d99e | Patch |
https://github.com/misskey-dev/misskey/security/advisories/GHSA-vc39-c453-67g3 | Vendor Advisory |
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2023-24811 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24811 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2023-04-17 05:17:52 | Added to TrackCVE | |||
2023-04-17 05:17:54 | Weakness Enumeration | new |