syuilo

7 exploits Active since Aug 2021
CVE-2021-39169 WRITEUP HIGH WRITEUP
Misskey < 12.51.0 - Cross-Site Scripting via Web Client Dialog
Misskey is a decentralized microblogging platform. In versions of Misskey prior to 12.51.0, malicious actors can use the web client built-in dialog to display a malicious string, leading to cross-site scripting (XSS). XSS could compromise the API request token. This issue has been fixed in version 12.51.0. There are no known workarounds aside from upgrading.
CVSS 8.0
CVE-2023-24811 WRITEUP HIGH WRITEUP
Misskey < 13.3.2 - Cross-Site Scripting via URL Preview Function
Misskey is an open source, decentralized social media platform. In versions prior to 13.3.2 the URL preview function is subject to a cross site scripting vulnerability due to insufficient URL validation. Arbitrary JavaScript is executed when a malicious URL is loaded in the `View in Player` or `View in Window` preview. This has been fixed in version 13.3.2. Users are advised to upgrade. Users unable to upgrade should avoid usage of the `View in Player` or `View in Window` functions.
CVSS 7.1
CVE-2023-24812 WRITEUP HIGH WRITEUP
Misskey < 13.3.3 - SQL Injection via Notes Search by Tag API
Misskey is an open source, decentralized social media platform. In versions prior to 13.3.3 SQL injection is possible due to insufficient parameter validation in the note search API by tag (notes/search-by-tag). This has been fixed in version 13.3.3. Users are advised to upgrade. Users unable to upgrade should block access to the `api/notes/search-by-tag` endpoint.
CVSS 8.8
CVE-2023-43793 WRITEUP HIGH WRITEUP
Misskey < 2023.9.0 - Unauthenticated Authentication Bypass via URL Manipulation
Misskey is an open source, decentralized social media platform. Prior to version 2023.9.0, by editing the URL, a user can bypass the authentication of the Bull dashboard, which is the job queue management UI, and access it. Version 2023.9.0 contains a fix. There are no known workarounds.
CVSS 7.5
CVE-2023-52077 WRITEUP HIGH WRITEUP
Nexkey <12.23Q4.5 - Privilege Escalation
Nexkey is a lightweight fork of Misskey v12 optimized for small to medium size servers. Prior to 12.23Q4.5, Nexkey allows external apps using tokens issued by administrators and moderators to call admin APIs. This allows malicious third-party apps to perform operations such as updating server settings, as well as compromise object storage and email server credentials. This issue has been patched in 12.23Q4.5.
CVSS 8.9
CVE-2024-25636 WRITEUP HIGH WRITEUP
Misskey < 2024.2.0 - Account Takeover via Unrestricted Activity Streams Document Upload
Misskey is an open source, decentralized social media platform with ActivityPub support. Prior to version 2024.2.0, when fetching remote Activity Streams objects, Misskey doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate and take over an account on a remote server that satisfies all of the following properties: allows the threat actor to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as legitimate Activity Streams actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Version 2024.2.0 contains a patch for the issue.
CVSS 7.1
CVE-2024-32983 WRITEUP HIGH WRITEUP
Misskey < 2024.5.0 - Activity Spoofing via Improper JSON Normalization
Misskey is an open source, decentralized microblogging platform. Misskey doesn't perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof the contents of signed activities and impersonate the authors of the original activities. This vulnerability is fixed in 2024.5.0.
CVSS 8.2