CVE-2021-39169

Misskey is a decentralized microblogging platform. In versions of Misskey prior to 12.51.0, malicious actors can use the web client built-in dialog to display a malicious string, leading to cross-site scripting (XSS). XSS could compromise the API request token. This issue has been fixed in version 12.51.0. There are no known workarounds aside from upgrading.

CVSS v3 8.0 HIGH
CVSS v2.0 3.5 LOW

8.0^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

3.5^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/misskey-dev/misskey/commit/ec203f7f795766f76b55fecc9248168c1cdf6c99	Patch Third Party Advisory
https://github.com/misskey-dev/misskey/security/advisories/GHSA-pmmv-jwqh-f5ww	Patch Third Party Advisory
https://github.com/misskey-dev/misskey/commit/ec203f7f795766f76b55fecc9248168c1cdf6c99	Patch Third Party Advisory
https://github.com/misskey-dev/misskey/security/advisories/GHSA-pmmv-jwqh-f5ww	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*

History

21 Nov 2024, 06:18

Type	Values Removed	Values Added
CVSS	v2 : ~~3.5~~ v3 : ~~5.4~~	v2 : 3.5 v3 : 8.0
References	~~() https://github.com/misskey-dev/misskey/commit/ec203f7f795766f76b55fecc9248168c1cdf6c99 - Patch, Third Party Advisory~~	() https://github.com/misskey-dev/misskey/commit/ec203f7f795766f76b55fecc9248168c1cdf6c99 - Patch, Third Party Advisory
References	~~() https://github.com/misskey-dev/misskey/security/advisories/GHSA-pmmv-jwqh-f5ww - Patch, Third Party Advisory~~	() https://github.com/misskey-dev/misskey/security/advisories/GHSA-pmmv-jwqh-f5ww - Patch, Third Party Advisory

08 Sep 2021, 13:14

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~8.0~~	v2 : 3.5 v3 : 5.4
CPE		cpe:2.3:a:misskey:misskey::::::::
References	~~(MISC) https://github.com/misskey-dev/misskey/commit/ec203f7f795766f76b55fecc9248168c1cdf6c99 -~~	(MISC) https://github.com/misskey-dev/misskey/commit/ec203f7f795766f76b55fecc9248168c1cdf6c99 - Patch, Third Party Advisory
References	~~(CONFIRM) https://github.com/misskey-dev/misskey/security/advisories/GHSA-pmmv-jwqh-f5ww -~~	(CONFIRM) https://github.com/misskey-dev/misskey/security/advisories/GHSA-pmmv-jwqh-f5ww - Patch, Third Party Advisory

27 Aug 2021, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-08-27 13:15

Updated : 2024-11-21 06:18

NVD link : CVE-2021-39169

Mitre link : CVE-2021-39169

CVE.ORG link : CVE-2021-39169

JSON object : View

Products Affected

misskey

misskey

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

8.0 /10