CVE-2023-52077

Name of the Vulnerable Software and Affected Versions Nexkey versions prior to 12.23Q4.5

Description Nexkey, a lightweight fork of Misskey v12 optimized for small to medium size servers, allows external apps using tokens issued by administrators and moderators to call admin APIs. This enables malicious third-party apps to perform operations such as updating server settings and compromise object storage and email server credentials.

Recommendations For versions prior to 12.23Q4.5, update to version 12.23Q4.5 to resolve the issue. As a temporary workaround, consider restricting the use of tokens issued by administrators and moderators to minimize the risk of exploitation. Restrict access to admin APIs to prevent malicious third-party apps from performing unauthorized operations.