Skip to main content

Misskey CVE-2023-25154

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2023-02-22 security-advisories@github.com
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Feb 22, 2023 - 19:15 nvd
MEDIUM 6.1

DescriptionNVD

Misskey is an open source, decentralized social media platform. In versions prior to 13.5.0 the link to the instance to the sender that appears when viewing a user or note received through ActivityPub is not properly validated, so by inserting a URL with a javascript scheme an attacker may execute JavaScript code in the context of the recipient. This issue has been fixed in version 13.5.0. Users are advised to upgrade. Users unable to upgrade should not "view on remote" for untrusted instances.

AnalysisAI

Misskey is an open source, decentralized social media platform. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Misskey is an open source, decentralized social media platform. In versions prior to 13.5.0 the link to the instance to the sender that appears when viewing a user or note received through ActivityPub is not properly validated, so by inserting a URL with a javascript scheme an attacker may execute JavaScript code in the context of the recipient. This issue has been fixed in version 13.5.0. Users are advised to upgrade. Users unable to upgrade should not "view on remote" for untrusted instances. Affected products include: Misskey. Version information: prior to 13.5.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2024-32983 HIGH POC
7.5 Jun 03

Misskey is an open source, decentralized microblogging platform. Rated high severity (CVSS 7.5), this vulnerability is r

CVE-2019-1020010 MEDIUM POC
6.1 Jul 29

Misskey before 10.102.4 allows hijacking a user's token. Rated medium severity (CVSS 6.1), this vulnerability is remotel

CVE-2023-24812 CRITICAL
9.8 Feb 22

Misskey is an open source, decentralized social media platform. Rated critical severity (CVSS 9.8), this vulnerability i

CVE-2023-52139 CRITICAL
9.6 Dec 29

Misskey is an open source, decentralized social media platform. Rated critical severity (CVSS 9.6), this vulnerability i

CVE-2025-46559 MEDIUM POC
5.4 May 05

Misskey is an open source, federated social media platform. Rated medium severity (CVSS 5.4), this vulnerability is remo

CVE-2024-52591 HIGH
8.8 Dec 18

Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.8), this vulnerability is remote

CVE-2024-52590 HIGH
8.8 Dec 18

Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.8), this vulnerability is remote

CVE-2024-25636 HIGH
8.8 Feb 19

Misskey is an open source, decentralized social media platform with ActivityPub support. Rated high severity (CVSS 8.8),

CVE-2025-24897 HIGH
8.2 Feb 11

Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.2), this vulnerability is remote

CVE-2025-24896 HIGH
8.1 Feb 11

Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.1), this vulnerability is remote

CVE-2026-28431 HIGH
7.5 Mar 10

Misskey is an open source, federated social media platform.

CVE-2026-28432 HIGH
7.5 Mar 10

federated social media platform. All Misskey server versions up to 2026.3.1 is affected by improper verification of cryp

Share

CVE-2023-25154 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy