CVE-2023-25154

Name of the Vulnerable Software and Affected Versions Misskey versions prior to 13.5.0

Description Misskey is an open source, decentralized social media platform. The link to the instance of the sender that appears when viewing a user or note received through ActivityPub is not properly validated in affected versions, allowing an attacker to execute JavaScript code in the context of the recipient by inserting a URL with a javascript scheme.

Recommendations For versions prior to 13.5.0, upgrade to version 13.5.0 to fix the issue. For users unable to upgrade, do not "view on remote" for untrusted instances as a temporary workaround.