PT-2023-19796 · Misskey · Misskey
Ry0Tak
·
Published
2023-02-22
·
Updated
2023-04-10
·
CVE-2023-24812
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Misskey versions prior to 13.3.3
Description
Misskey is an open source, decentralized social media platform. SQL injection is possible due to insufficient parameter validation in the note search API by tag ("notes/search-by-tag") endpoint. The issue has been fixed in version 13.3.3.
Recommendations
For versions prior to 13.3.3, upgrade to version 13.3.3 to resolve the issue.
As a temporary workaround for users unable to upgrade, block access to the
api/notes/search-by-tag endpoint.Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Misskey