CVE-2023-52077 HIGH

CVE-2023-52077: External apps using tokens issued by administrators and moderators can call admin APIs

Vendor Nexryai

Product nexkey

Weakness CWE-863 · Incorrect authorization

Published December 27, 2023

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

8.9/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

What the vulnerability does

01Description

Nexkey is a lightweight fork of Misskey v12 optimized for small to medium size servers. Prior to 12.23Q4.5, Nexkey allows external apps using tokens issued by administrators and moderators to call admin APIs. This allows malicious third-party apps to perform operations such as updating server settings, as well as compromise object storage and email server credentials. This issue has been patched in 12.23Q4.5.

Key dates

02Disclosure timeline

December 27, 2023 CVE published

August 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-52077 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

CVE-2023-52077: External apps using tokens issued by administrators and moderators can call admin APIs

01Description

02Disclosure timeline

03References

04Related CVE