CVE-2024-52592

Source
https://cve.org/CVERecord?id=CVE-2024-52592
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-52592.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-52592
Aliases
  • GHSA-5h8r-gq97-xv69
Published
2024-12-18T19:19:17.863Z
Modified
2026-07-08T06:53:06.833166543Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Missing validation allows spoofed poll updates in Misskey
Details

Misskey is an open source, federated social media platform. In affected versions missing validation in ApInboxService.update allows an attacker to modify the result of polls belonging to another user. No authentication is required, except for a valid signature from any actor on any remote instance. Vulnerable Misskey instances will accept spoofed updates for remote polls. Local polls are unaffected. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52592.json",
    "cwe_ids": [
        "CWE-20"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/misskey-dev/misskey

Affected ranges

Type
GIT
Repo
https://github.com/misskey-dev/misskey
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "10.92.1"
        },
        {
            "fixed": "2024.11.0-alpha.3"
        },
        {
            "fixed": "2024.11.0"
        }
    ]
}

Affected versions

10.*
10.92.1
10.92.2
10.92.3
10.92.4
10.93.0
10.93.1
10.94.0
10.95.0
10.96.0
10.97.0
10.97.1
10.97.2
10.98.0
10.98.1
10.98.2
10.98.3
10.99.0
11.*
11.0.0-alpha.1
11.0.0-alpha.10
11.0.0-alpha.2
11.0.0-alpha.3
11.0.0-alpha.4
11.0.0-alpha.5
11.0.0-alpha.6
11.0.0-alpha.7
11.0.0-alpha.8
11.0.0-beta.1
11.0.0-beta.10
11.0.0-beta.11
11.0.0-beta.12
11.0.0-beta.13
11.0.0-beta.14
11.0.0-beta.15
11.0.0-beta.16
11.0.0-beta.2
11.0.0-beta.3
11.0.0-beta.4
11.0.0-beta.5
11.0.0-beta.6
11.0.0-beta.7
11.0.0-beta.8
11.0.0-beta.9
11.26.1
11.26.2
11.27.0
11.27.1
11.28.0
11.28.1
11.28.2
11.29.0
11.30.0
11.31.0
11.31.1
11.31.2
11.31.3
11.31.4
11.32.0
11.33.0
11.34.0
11.35.0
11.35.1
11.36.0
11.37.0
11.37.1
12.*
12.0.0
12.1.0
12.10.0
12.11.0
12.12.0
12.13.0
12.14.0
12.15.0
12.16.0
12.17.0
12.18.0
12.18.1
12.19.0
12.2.0
12.20.0
12.21.0
12.29.0
12.3.0
12.30.0
12.31.0
12.32.0
12.33.0
12.34.0
12.35.0
12.35.1
12.35.2
12.36.0
12.36.1
12.37.0
12.38.0
12.38.1
12.39.0
12.39.1
12.4.0
12.4.1
12.40.0
12.41.0
12.41.1
12.41.2
12.41.3
12.42.0
12.43.0
12.44.0
12.44.1
12.45.0
12.45.1
12.46.0
12.47.0
12.47.1
12.48.0
12.48.1
12.48.2
12.48.3
12.49.0
12.49.1
12.5.0
12.50.0
12.51.0
12.52.0
12.53.0
12.54.0
12.55.0
12.56.0
12.57.0
12.57.1
12.57.4
12.58.0
12.59.0
12.6.0
12.60.0
12.60.1
12.61.0
12.61.1
12.62.0
12.62.1
12.62.2
12.63.0
12.64.0
12.64.1
12.64.2
12.65.0
12.65.1
12.65.2
12.65.3
12.65.4
12.65.5
12.65.6
12.65.7
12.66.0
12.67.0
12.67.1
12.7.0
12.7.1
12.8.0
12.9.0
13.*
13.0.0-beta.16
13.0.0-beta.21
13.0.0-beta.22
13.0.0-beta.23
13.0.0-beta.24
13.0.0-beta.25
13.0.0-beta.26
13.0.0-beta.27
13.0.0-beta.28
13.0.0-beta.29
13.0.0-beta.30
13.0.0-beta.31
13.0.0-beta.32
13.0.0-beta.33
13.0.0-beta.34
13.0.0-beta.35
13.0.0-beta.36
13.0.0-beta.37
13.0.0-beta.38
13.0.0-beta.39
13.0.0-beta.40
13.0.0-beta.41
13.0.0-beta.42
13.0.0-beta.43
13.0.0-rc.1
13.0.0-rc.10
13.0.0-rc.11
13.0.0-rc.2
13.0.0-rc.3
13.0.0-rc.5
13.0.0-rc.6
13.0.0-rc.7
13.0.0-rc.8
13.0.0-rc.9
13.11.0-beta.4
13.11.0-beta.6
13.11.0-beta.7
13.11.0-beta.8
13.11.0.beta-1
13.11.0.beta-2
13.11.0.beta-3
13.12.0-beta.2
13.12.0-beta.3
13.12.0-beta.4
13.12.0-beta.5
13.12.0-beta.6
13.13.0-beta.1
13.13.0-beta.2
13.13.0-beta.3
13.13.0-beta.4
13.13.0-beta.5
13.13.0-beta.6
13.13.0-beta.7
13.14.0-beta.1
13.14.0-beta.2
13.14.0-beta.3
13.14.0-beta.4
13.14.0-beta.5
13.14.0-beta.6
13.14.0-beta.7
2023.*
2023.10.0-beta.1
2023.10.0-beta.10
2023.10.0-beta.11
2023.10.0-beta.12
2023.10.0-beta.13
2023.10.0-beta.14
2023.10.0-beta.15
2023.10.0-beta.2
2023.10.0-beta.3
2023.10.0-beta.4
2023.10.0-beta.5
2023.10.0-beta.6
2023.10.0-beta.7
2023.10.0-beta.8
2023.10.0-beta.9
2023.10.2-beta.1
2023.10.2-beta.2
2023.11.0-beta.1
2023.11.0-beta.10
2023.11.0-beta.2
2023.11.0-beta.3
2023.11.0-beta.4
2023.11.0-beta.5
2023.11.0-beta.6
2023.11.0-beta.7
2023.11.0-beta.8
2023.11.0-beta.9
2023.11.1-beta.1
2023.11.1-beta.2
2023.12.0-beta.1
2023.12.0-beta.2
2023.12.0-beta.3
2023.12.0-beta.4
2023.12.0-beta.5
2023.12.0-beta.6
2023.9.0-beta.1
2023.9.0-beta.10
2023.9.0-beta.11
2023.9.0-beta.2
2023.9.0-beta.3
2023.9.0-beta.4
2023.9.0-beta.5
2023.9.0-beta.6
2023.9.0-beta.7
2023.9.0-beta.8
2023.9.0-beta.9
2023.9.0-rc.1
2023.9.0-rc.2
2023.9.0-rc.3
2023.9.0-rc.4
2024.*
2024.10.0
2024.10.0-alpha.0
2024.10.0-alpha.1
2024.10.0-beta.2
2024.10.0-beta.3
2024.10.0-beta.4
2024.10.0-beta.5
2024.10.0-beta.6
2024.10.1
2024.10.1-alpha.0
2024.10.1-beta.1
2024.10.1-beta.2
2024.10.1-beta.3
2024.10.1-beta.4
2024.10.1-beta.5
2024.10.1-beta.6
2024.10.2-alpha.0
2024.10.2-alpha.1
2024.10.2-alpha.2
2024.11.0-alpha.1
2024.11.0-alpha.2
2024.2.0-beta.1
2024.2.0-beta.10
2024.2.0-beta.12
2024.2.0-beta.13
2024.2.0-beta.2
2024.2.0-beta.3
2024.2.0-beta.4
2024.2.0-beta.5
2024.2.0-beta.6
2024.2.0-beta.7
2024.2.0-beta.8
2024.2.0-beta.9
2024.7.0
2024.7.0-beta.0
2024.7.0-beta.1
2024.7.0-beta.2
2024.7.0-beta.3
2024.7.0-rc.4
2024.7.0-rc.5
2024.7.0-rc.6
2024.7.0-rc.7
2024.7.0-rc.8
2024.8.0
2024.8.0-alpha.0
2024.8.0-alpha.1
2024.8.0-beta.2
2024.8.0-rc.3
2024.8.0-rc.4
2024.8.0-rc.5
2024.9.0
2024.9.0-alpha.0
2024.9.0-alpha.1
2024.9.0-alpha.10
2024.9.0-alpha.11
2024.9.0-alpha.12
2024.9.0-alpha.13
2024.9.0-alpha.2
2024.9.0-alpha.3
2024.9.0-alpha.4
2024.9.0-alpha.5
2024.9.0-alpha.6
2024.9.0-alpha.7
2024.9.0-alpha.8
2024.9.0-alpha.9
2024.9.0-beta.14

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-52592.json"