CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-52077 – External apps using tokens issued by administrators and moderators can call admin APIs
https://notcve.org/view.php?id=CVE-2023-52077
27 Dec 2023 — Nexkey is a lightweight fork of Misskey v12 optimized for small to medium size servers. Prior to 12.23Q4.5, Nexkey allows external apps using tokens issued by administrators and moderators to call admin APIs. This allows malicious third-party apps to perform operations such as updating server settings, as well as compromise object storage and email server credentials. This issue has been patched in 12.23Q4.5. Nexkey es una bifurcación liviana de Misskey v12 optimizada para servidores de tamaño pequeño y med... • https://github.com/mei23/misskey-v12/commit/78173e376f14fcc1987b02196f5538bf5b18225c • CWE-863: Incorrect Authorization •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49095 – nexkey allows arbitrary users to impersonate any remote user due to missing signature validation
https://notcve.org/view.php?id=CVE-2023-49095
30 Nov 2023 — nexkey is a microblogging platform. Insufficient validation of ActivityPub requests received in inbox could allow any user to impersonate another user in certain circumstances. This issue has been patched in version 12.122.2. nexkey es una plataforma de microblogging. Una validación insuficiente de las solicitudes de ActivityPub recibidas en la bandeja de entrada podría permitir que cualquier usuario se haga pasar por otro usuario en determinadas circunstancias. Este problema se solucionó en la versión 12.1... • https://github.com/nexryai/nexkey/commit/b96da0eac5a1e75abba94cf926f1251842829bab • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-43805 – Nexkey allows users to bypass authentication of Bull dashboard
https://notcve.org/view.php?id=CVE-2023-43805
04 Oct 2023 — Nexkey is a fork of Misskey, an open source, decentralized social media platform. Prior to version 12.121.9, incomplete URL validation can allow users to bypass authentication for access to the job queue dashboard. Version 12.121.9 contains a fix for this issue. As a workaround, it may be possible to avoid this by blocking access using tools such as Cloudflare's WAF. Nexkey es un fork de Misskey, una plataforma de redes sociales descentralizada y de código abierto. • https://github.com/misskey-dev/misskey/security/advisories/GHSA-9fj2-gjcf-cqqc • CWE-287: Improper Authentication •