CVE-2023-24810 HIGH

CVE-2023-24810: Cross site scripting (XSS) vulnerability using authentication callback in Misskey

Vendor Misskey-Dev
Product misskey
Weakness CWE-79 · XSS
Published February 22, 2023
Last update March 10, 2025

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Misskey is an open source, decentralized social media platform. Due to insufficient validation of the redirect URL during `miauth` authentication in Misskey, arbitrary JavaScript can be executed when a user allows the link. All versions below 13.3.1 (including 12.x) are affected. This has been fixed in version 13.3.1. Users are advised to upgrade. Users unable to upgrade should not allow authentication of untrusted apps.

Key dates

02Disclosure timeline

February 22, 2023 CVE published
March 10, 2025 Record updated