Misskey
CVE-2024-52592
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (github) · only source for this CVE.
CVSS VectorVendor: github
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Misskey is an open source, federated social media platform. In affected versions missing validation in ApInboxService.update allows an attacker to modify the result of polls belonging to another user. No authentication is required, except for a valid signature from any actor on any remote instance. Vulnerable Misskey instances will accept spoofed updates for remote polls. Local polls are unaffected. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AnalysisAI
Misskey is an open source, federated social media platform. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-20. Misskey is an open source, federated social media platform. In affected versions missing validation in ApInboxService.update allows an attacker to modify the result of polls belonging to another user. No authentication is required, except for a valid signature from any actor on any remote instance. Vulnerable Misskey instances will accept spoofed updates for remote polls. Local polls are unaffected. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. There are no known workarounds for this vulnerability. Affected products include: Misskey. Version information: version 2024.11.0.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Misskey is an open source, decentralized microblogging platform. Rated high severity (CVSS 7.5), this vulnerability is r
Misskey before 10.102.4 allows hijacking a user's token. Rated medium severity (CVSS 6.1), this vulnerability is remotel
Misskey is an open source, decentralized social media platform. Rated critical severity (CVSS 9.8), this vulnerability i
Misskey is an open source, decentralized social media platform. Rated critical severity (CVSS 9.6), this vulnerability i
Misskey is an open source, federated social media platform. Rated medium severity (CVSS 5.4), this vulnerability is remo
Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.8), this vulnerability is remote
Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.8), this vulnerability is remote
Misskey is an open source, decentralized social media platform with ActivityPub support. Rated high severity (CVSS 8.8),
Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.2), this vulnerability is remote
Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.1), this vulnerability is remote
Misskey is an open source, federated social media platform.
federated social media platform. All Misskey server versions up to 2026.3.1 is affected by improper verification of cryp
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today