SQL Injection in Misskey-dev Misskey
CVE-2023-24812
Misskey is an open source, decentralized social media platform. In versions prior to 13.3.3 SQL injection is possible due to insufficient parameter validation in the note search API by tag (notes/search-by-tag). This has been fixed in vers…
Vulnerability class: SQL Injection
EPSS: 0.006 (70.8th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Misskey-dev Misskey — versions < 13.3.3
Weakness classification (CWE)
References
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-cgwp-vmr4-wx4q (x_refsource_CONFIRM)
- https://github.com/misskey-dev/misskey/commit/ee74df68233adcd5b167258c621565f97c3b2306 (x_refsource_MISC)
Frequently asked questions
- What is CVE-2023-24812?
- CVE-2023-24812 is a high-severity vulnerability in Misskey-dev Misskey, classified under SQL Injection. CVSS score: 8.8/10. Published 2023-02-22.
- How severe is CVE-2023-24812?
- High severity. CVSS v3 base score is 8.8 out of 10.