CVE-2024-52593

Name of the Vulnerable Software and Affected Versions Misskey versions prior to 2024.11.0-alpha.3

Description Misskey is an open source, federated social media platform. In affected versions, missing validation in NoteCreateService.insertNote, ApPersonService.createPerson, and ApPersonService.updatePerson allows an attacker to control the target of any "origin" links, such as the "view on remote instance" banner. Any HTTPS URL can be set, even if it belongs to a different domain than the note or user. Vulnerable Misskey instances will use the unverified URL for several clickable links, allowing an attacker to conduct phishing or other attacks against remote users.

Recommendations For versions prior to 2024.11.0-alpha.3, upgrade to version 2024.11.0-alpha.3 or later to resolve the issue. As a temporary workaround, consider disabling the NoteCreateService.insertNote, ApPersonService.createPerson, and ApPersonService.updatePerson functions until a patch is available. Restrict access to unverified URLs to minimize the risk of exploitation. Avoid using unverified URLs in clickable links until the issue is resolved.