CVE-2019-1020010

MEDIUM LAB

Misskey < 10.102.4 - Token Hijacking via Cross-Site Scripting

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-1020010. PoCs published by DXY0411.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2019-1020010, demonstrating an XSS vulnerability in Misskey. The exploit involves creating a malicious app with an XSS payload, generating a session link, and posting it to lure victims into clicking it, which then exfiltrates sensitive data (e.g., localStorage items) to an attacker-controlled server.

Description

Misskey before 10.102.4 allows hijacking a user's token.

Exploits (1)

nomisec WORKING POC

by DXY0411 · poc

https://github.com/DXY0411/CVE-2019-1020010

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2019-1020010, demonstrating an XSS vulnerability in Misskey. The exploit involves creating a malicious app with an XSS payload, generating a session link, and posting it to lure victims into clicking it, which then exfiltrates sensitive data (e.g., localStorage items) to an attacker-controlled server.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Misskey (version not explicitly specified, but likely pre-patch versions)

Auth required

Prerequisites: Access to a Misskey instance · Valid user credentials to create an app and post notes

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Mitigation, Third Party Advisory x_refsource_misc

https://github.com/syuilo/misskey/security/advisories/GHSA-6qw9-6jxq-xj3p

Scores

CVSS v3 6.1

EPSS 0.0126

EPSS Percentile 66.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Lab Environment

COMMUNITY

Community Lab

docker pull shawnsky/puppeteer:5.2.0

https://github.com/DXY0411/CVE-2019-1020010

View in Library

Details

CWE

CWE-79

Status published

Products (2)

misskey/misskey 11.0.0 alpha1 (25 CPE variants)

misskey/misskey 10.46.0 - 10.102.4

Published Jul 29, 2019

Tracked Since Feb 18, 2026