PT-2023-19795 · Misskey · Misskey
Ry0Tak
·
Published
2023-02-22
·
Updated
2023-03-03
·
CVE-2023-24811
CVSS v3.1
7.1
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
Misskey versions prior to 13.3.2
Description
The issue concerns a cross-site scripting vulnerability due to insufficient URL validation in the URL preview function. This allows arbitrary JavaScript to be executed when a malicious URL is loaded in the
View in Player or View in Window preview.Recommendations
For versions prior to 13.3.2, upgrade to version 13.3.2 to resolve the issue.
For users unable to upgrade, avoid using the
View in Player or View in Window functions as a temporary workaround.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Misskey