CVE-2023-52077
8.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L
Summary
Nexkey is a lightweight fork of Misskey v12 optimized for small to medium size servers. Prior to 12.23Q4.5, Nexkey allows external apps using tokens issued by administrators and moderators to call admin APIs. This allows malicious third-party apps to perform operations such as updating server settings, as well as compromise object storage and email server credentials. This issue has been patched in 12.23Q4.5.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| nexryai | nexkey | < 12.23Q4.5 | affected |
Weaknesses
- CWE-863: CWE-863: Incorrect Authorization
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/nexryai/nexkey/security/advisories/GHSA-pjj7-7hcj-9cpc
- https://github.com/mei23/misskey-v12/commit/78173e376f14fcc1987b02196f5538bf5b18225c
- https://github.com/misskey-dev/misskey/commit/5150053275594278e9eb23e72d98b16593c4c230
- https://github.com/nexryai/nexkey/commit/a4e4c9c47c5f84ec7ccd309bde59d4ae5d7e5a98
References
- https://github.com/nexryai/nexkey/security/advisories/GHSA-pjj7-7hcj-9cpc
- https://github.com/mei23/misskey-v12/commit/78173e376f14fcc1987b02196f5538bf5b18225c
- https://github.com/misskey-dev/misskey/commit/5150053275594278e9eb23e72d98b16593c4c230
- https://github.com/nexryai/nexkey/commit/a4e4c9c47c5f84ec7ccd309bde59d4ae5d7e5a98
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.