{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-14T09:04:17.104","vulnerabilities":[{"cve":{"id":"CVE-2024-52593","sourceIdentifier":"security-advisories@github.com","published":"2024-12-18T20:15:23.983","lastModified":"2025-11-26T16:34:54.117","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Misskey is an open source, federated social media platform.In affected versions missing validation in `NoteCreateService.insertNote`, `ApPersonService.createPerson`, and `ApPersonService.updatePerson` allows an attacker to control the target of any \"origin\" links (such as the \"view on remote instance\" banner). Any HTTPS URL can be set, even if it belongs to a different domain than the note / user. Vulnerable Misskey instances will use the unverified URL for several clickable links, allowing an attacker to conduct phishing or other attacks against remote users. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. There are no known workarounds for this vulnerability."},{"lang":"es","value":"Misskey es una plataforma de redes sociales federada de código abierto. En las versiones afectadas, la falta de validación en `NoteCreateService.insertNote`, `ApPersonService.createPerson` y `ApPersonService.updatePerson` permite a un atacante controlar el destino de cualquier enlace de \"origen\" (como el banner \"ver en instancia remota\"). Se puede configurar cualquier URL HTTPS, incluso si pertenece a un dominio diferente al de la nota/usuario. Las instancias vulnerables de Misskey utilizarán la URL no verificada para varios enlaces en los que se puede hacer clic, lo que permite a un atacante realizar ataques de phishing u otros ataques contra usuarios remotos. Este problema se ha solucionado en la versión 2024.11.0-alpha.3. Se recomienda a los usuarios que actualicen. No existen workarounds conocidos para esta vulnerabilidad."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"ACTIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-20"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*","versionStartIncluding":"12.29.0","versionEndExcluding":"2024.11.0","matchCriteriaId":"0FA13E34-3ADE-48E9-8518-A325D7AF5951"},{"vulnerable":true,"criteria":"cpe:2.3:a:misskey:misskey:2024.11.0:alpha0:*:*:*:*:*:*","matchCriteriaId":"1BF4BE35-2292-4FD3-BE70-1ECB93C759D5"},{"vulnerable":true,"criteria":"cpe:2.3:a:misskey:misskey:2024.11.0:alpha1:*:*:*:*:*:*","matchCriteriaId":"E74599B9-F76E-40E2-A2BC-297FBCD4114A"},{"vulnerable":true,"criteria":"cpe:2.3:a:misskey:misskey:2024.11.0:alpha2:*:*:*:*:*:*","matchCriteriaId":"43BB14C6-8368-49E6-A1EF-6218C7ED998C"}]}]}],"references":[{"url":"https://github.com/misskey-dev/misskey/security/advisories/GHSA-675w-hf2m-qwmj","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}