CVE-2024-52592

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-52592

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-52592.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-52592

Aliases

GHSA-5h8r-gq97-xv69

Published

2024-12-18T19:19:17.863Z

Modified

2026-04-10T05:12:21.745420Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Missing validation allows spoofed poll updates in Misskey

Details

Misskey is an open source, federated social media platform. In affected versions missing validation in ApInboxService.update allows an attacker to modify the result of polls belonging to another user. No authentication is required, except for a valid signature from any actor on any remote instance. Vulnerable Misskey instances will accept spoofed updates for remote polls. Local polls are unaffected. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52592.json",
    "cwe_ids": [
        "CWE-20"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/misskey-dev/misskey

Affected ranges

Type

GIT

Repo

https://github.com/misskey-dev/misskey

Events

Introduced

5f4a52574f9e023e10b447c41e886ccec7268642

Fixed

a21a2c52d7c3cf75cf67e001e664cb083188e2b8

Database specific

{
    "versions": [
        {
            "introduced": "10.92.1"
        },
        {
            "fixed": "2024.11.0-alpha.3"
        }
    ]
}

Affected versions

10.*

10.92.1

10.92.2

10.92.3

10.92.4

10.93.0

10.93.1

10.94.0

10.95.0

10.96.0

10.97.0

10.97.1

10.97.2

10.98.0

10.98.1

10.98.2

10.98.3

10.99.0

11.*

11.0.0-alpha.1

11.0.0-alpha.10

11.0.0-alpha.2

11.0.0-alpha.3

11.0.0-alpha.4

11.0.0-alpha.5

11.0.0-alpha.6

11.0.0-alpha.7

11.0.0-alpha.8

11.0.0-beta.1

11.0.0-beta.10

11.0.0-beta.11

11.0.0-beta.12

11.0.0-beta.13

11.0.0-beta.14

11.0.0-beta.15

11.0.0-beta.16

11.0.0-beta.2

11.0.0-beta.3

11.0.0-beta.4

11.0.0-beta.5

11.0.0-beta.6

11.0.0-beta.7

11.0.0-beta.8

11.0.0-beta.9

11.26.1

11.26.2

11.27.0

11.27.1

11.28.0

11.28.1

11.28.2

11.29.0

11.30.0

11.31.0

11.31.1

11.31.2

11.31.3

11.31.4

11.32.0

11.33.0

11.34.0

11.35.0

11.35.1

11.36.0

11.37.0

11.37.1

12.*

12.0.0

12.1.0

12.10.0

12.11.0

12.12.0

12.13.0

12.14.0

12.15.0

12.16.0

12.17.0

12.18.0

12.18.1

12.19.0

12.2.0

12.20.0

12.21.0

12.29.0

12.3.0

12.30.0

12.31.0

12.32.0

12.33.0

12.34.0

12.35.0

12.35.1

12.35.2

12.36.0

12.36.1

12.37.0

12.38.0

12.38.1

12.39.0

12.39.1

12.4.0

12.4.1

12.40.0

12.41.0

12.41.1

12.41.2

12.41.3

12.42.0

12.43.0

12.44.0

12.44.1

12.45.0

12.45.1

12.46.0

12.47.0

12.47.1

12.48.0

12.48.1

12.48.2

12.48.3

12.49.0

12.49.1

12.5.0

12.50.0

12.51.0

12.52.0

12.53.0

12.54.0

12.55.0

12.56.0

12.57.0

12.57.1

12.57.4

12.58.0

12.59.0

12.6.0

12.60.0

12.60.1

12.61.0

12.61.1

12.62.0

12.62.1

12.62.2

12.63.0

12.64.0

12.64.1

12.64.2

12.65.0

12.65.1

12.65.2

12.65.3

12.65.4

12.65.5

12.65.6

12.65.7

12.66.0

12.67.0

12.67.1

12.7.0

12.7.1

12.8.0

12.9.0

13.*

13.0.0-beta.16

13.0.0-beta.21

13.0.0-beta.22

13.0.0-beta.23

13.0.0-beta.24

13.0.0-beta.25

13.0.0-beta.26

13.0.0-beta.27

13.0.0-beta.28

13.0.0-beta.29

13.0.0-beta.30

13.0.0-beta.31

13.0.0-beta.32

13.0.0-beta.33

13.0.0-beta.34

13.0.0-beta.35

13.0.0-beta.36

13.0.0-beta.37

13.0.0-beta.38

13.0.0-beta.39

13.0.0-beta.40

13.0.0-beta.41

13.0.0-beta.42

13.0.0-beta.43

13.0.0-rc.1

13.0.0-rc.10

13.0.0-rc.11

13.0.0-rc.2

13.0.0-rc.3

13.0.0-rc.5

13.0.0-rc.6

13.0.0-rc.7

13.0.0-rc.8

13.0.0-rc.9

13.11.0-beta.4

13.11.0-beta.6

13.11.0-beta.7

13.11.0-beta.8

13.11.0.beta-1

13.11.0.beta-2

13.11.0.beta-3

13.12.0-beta.2

13.12.0-beta.3

13.12.0-beta.4

13.12.0-beta.5

13.12.0-beta.6

13.13.0-beta.1

13.13.0-beta.2

13.13.0-beta.3

13.13.0-beta.4

13.13.0-beta.5

13.13.0-beta.6

13.13.0-beta.7

13.14.0-beta.1

13.14.0-beta.2

13.14.0-beta.3

13.14.0-beta.4

13.14.0-beta.5

13.14.0-beta.6

13.14.0-beta.7

2023.*

2023.10.0-beta.1

2023.10.0-beta.10

2023.10.0-beta.11

2023.10.0-beta.12

2023.10.0-beta.13

2023.10.0-beta.14

2023.10.0-beta.15

2023.10.0-beta.2

2023.10.0-beta.3

2023.10.0-beta.4

2023.10.0-beta.5

2023.10.0-beta.6

2023.10.0-beta.7

2023.10.0-beta.8

2023.10.0-beta.9

2023.10.2-beta.1

2023.10.2-beta.2

2023.11.0-beta.1

2023.11.0-beta.10

2023.11.0-beta.2

2023.11.0-beta.3

2023.11.0-beta.4

2023.11.0-beta.5

2023.11.0-beta.6

2023.11.0-beta.7

2023.11.0-beta.8

2023.11.0-beta.9

2023.11.1-beta.1

2023.11.1-beta.2

2023.12.0-beta.1

2023.12.0-beta.2

2023.12.0-beta.3

2023.12.0-beta.4

2023.12.0-beta.5

2023.12.0-beta.6

2023.9.0-beta.1

2023.9.0-beta.10

2023.9.0-beta.11

2023.9.0-beta.2

2023.9.0-beta.3

2023.9.0-beta.4

2023.9.0-beta.5

2023.9.0-beta.6

2023.9.0-beta.7

2023.9.0-beta.8

2023.9.0-beta.9

2023.9.0-rc.1

2023.9.0-rc.2

2023.9.0-rc.3

2023.9.0-rc.4

2024.*

2024.10.0

2024.10.0-alpha.0

2024.10.0-alpha.1

2024.10.0-beta.2

2024.10.0-beta.3

2024.10.0-beta.4

2024.10.0-beta.5

2024.10.0-beta.6

2024.10.1

2024.10.1-alpha.0

2024.10.1-beta.1

2024.10.1-beta.2

2024.10.1-beta.3

2024.10.1-beta.4

2024.10.1-beta.5

2024.10.1-beta.6

2024.10.2-alpha.0

2024.10.2-alpha.1

2024.10.2-alpha.2

2024.11.0-alpha.1

2024.11.0-alpha.2

2024.2.0-beta.1

2024.2.0-beta.10

2024.2.0-beta.12

2024.2.0-beta.13

2024.2.0-beta.2

2024.2.0-beta.3

2024.2.0-beta.4

2024.2.0-beta.5

2024.2.0-beta.6

2024.2.0-beta.7

2024.2.0-beta.8

2024.2.0-beta.9

2024.7.0

2024.7.0-beta.0

2024.7.0-beta.1

2024.7.0-beta.2

2024.7.0-beta.3

2024.7.0-rc.4

2024.7.0-rc.5

2024.7.0-rc.6

2024.7.0-rc.7

2024.7.0-rc.8

2024.8.0

2024.8.0-alpha.0

2024.8.0-alpha.1

2024.8.0-beta.2

2024.8.0-rc.3

2024.8.0-rc.4

2024.8.0-rc.5

2024.9.0

2024.9.0-alpha.0

2024.9.0-alpha.1

2024.9.0-alpha.10

2024.9.0-alpha.11

2024.9.0-alpha.12

2024.9.0-alpha.13

2024.9.0-alpha.2

2024.9.0-alpha.3

2024.9.0-alpha.4

2024.9.0-alpha.5

2024.9.0-alpha.6

2024.9.0-alpha.7

2024.9.0-alpha.8

2024.9.0-alpha.9

2024.9.0-beta.14

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-52592.json"

Git / github.com/syuilo/misskey

Affected ranges

Type

GIT

Repo

https://github.com/syuilo/misskey

Events

Introduced

5f4a52574f9e023e10b447c41e886ccec7268642

Fixed

551040ed0ff4bfabeb4c54df2fd1860d58bedd21

Database specific

{
    "versions": [
        {
            "introduced": "10.92.1"
        },
        {
            "fixed": "2024.11.0"
        }
    ]
}

Affected versions

10.*

10.92.1

10.92.2

10.92.3

10.92.4

10.93.0

10.93.1

10.94.0

10.95.0

10.96.0

10.97.0

10.97.1

10.97.2

10.98.0

10.98.1

10.98.2

10.98.3

10.99.0

11.*

11.0.0-alpha.1

11.0.0-alpha.10

11.0.0-alpha.2

11.0.0-alpha.3

11.0.0-alpha.4

11.0.0-alpha.5

11.0.0-alpha.6

11.0.0-alpha.7

11.0.0-alpha.8

11.0.0-beta.1

11.0.0-beta.10

11.0.0-beta.11

11.0.0-beta.12

11.0.0-beta.13

11.0.0-beta.14

11.0.0-beta.15

11.0.0-beta.16

11.0.0-beta.2

11.0.0-beta.3

11.0.0-beta.4

11.0.0-beta.5

11.0.0-beta.6

11.0.0-beta.7

11.0.0-beta.8

11.0.0-beta.9

11.26.1

11.26.2

11.27.0

11.27.1

11.28.0

11.28.1

11.28.2

11.29.0

11.30.0

11.31.0

11.31.1

11.31.2

11.31.3

11.31.4

11.32.0

11.33.0

11.34.0

11.35.0

11.35.1

11.36.0

11.37.0

11.37.1

12.*

12.0.0

12.1.0

12.10.0

12.11.0

12.12.0

12.13.0

12.14.0

12.15.0

12.16.0

12.17.0

12.18.0

12.18.1

12.19.0

12.2.0

12.20.0

12.21.0

12.29.0

12.3.0

12.30.0

12.31.0

12.32.0

12.33.0

12.34.0

12.35.0

12.35.1

12.35.2

12.36.0

12.36.1

12.37.0

12.38.0

12.38.1

12.39.0

12.39.1

12.4.0

12.4.1

12.40.0

12.41.0

12.41.1

12.41.2

12.41.3

12.42.0

12.43.0

12.44.0

12.44.1

12.45.0

12.45.1

12.46.0

12.47.0

12.47.1

12.48.0

12.48.1

12.48.2

12.48.3

12.49.0

12.49.1

12.5.0

12.50.0

12.51.0

12.52.0

12.53.0

12.54.0

12.55.0

12.56.0

12.57.0

12.57.1

12.57.4

12.58.0

12.59.0

12.6.0

12.60.0

12.60.1

12.61.0

12.61.1

12.62.0

12.62.1

12.62.2

12.63.0

12.64.0

12.64.1

12.64.2

12.65.0

12.65.1

12.65.2

12.65.3

12.65.4

12.65.5

12.65.6

12.65.7

12.66.0

12.67.0

12.67.1

12.7.0

12.7.1

12.8.0

12.9.0

13.*

13.0.0-beta.16

13.0.0-beta.21

13.0.0-beta.22

13.0.0-beta.23

13.0.0-beta.24

13.0.0-beta.25

13.0.0-beta.26

13.0.0-beta.27

13.0.0-beta.28

13.0.0-beta.29

13.0.0-beta.30

13.0.0-beta.31

13.0.0-beta.32

13.0.0-beta.33

13.0.0-beta.34

13.0.0-beta.35

13.0.0-beta.36

13.0.0-beta.37

13.0.0-beta.38

13.0.0-beta.39

13.0.0-beta.40

13.0.0-beta.41

13.0.0-beta.42

13.0.0-beta.43

13.0.0-rc.1

13.0.0-rc.10

13.0.0-rc.11

13.0.0-rc.2

13.0.0-rc.3

13.0.0-rc.5

13.0.0-rc.6

13.0.0-rc.7

13.0.0-rc.8

13.0.0-rc.9

13.11.0-beta.4

13.11.0-beta.6

13.11.0-beta.7

13.11.0-beta.8

13.11.0.beta-1

13.11.0.beta-2

13.11.0.beta-3

13.12.0-beta.2

13.12.0-beta.3

13.12.0-beta.4

13.12.0-beta.5

13.12.0-beta.6

13.13.0-beta.1

13.13.0-beta.2

13.13.0-beta.3

13.13.0-beta.4

13.13.0-beta.5

13.13.0-beta.6

13.13.0-beta.7

13.14.0-beta.1

13.14.0-beta.2

13.14.0-beta.3

13.14.0-beta.4

13.14.0-beta.5

13.14.0-beta.6

13.14.0-beta.7

2023.*

2023.10.0-beta.1

2023.10.0-beta.10

2023.10.0-beta.11

2023.10.0-beta.12

2023.10.0-beta.13

2023.10.0-beta.14

2023.10.0-beta.15

2023.10.0-beta.2

2023.10.0-beta.3

2023.10.0-beta.4

2023.10.0-beta.5

2023.10.0-beta.6

2023.10.0-beta.7

2023.10.0-beta.8

2023.10.0-beta.9

2023.10.2-beta.1

2023.10.2-beta.2

2023.11.0-beta.1

2023.11.0-beta.10

2023.11.0-beta.2

2023.11.0-beta.3

2023.11.0-beta.4

2023.11.0-beta.5

2023.11.0-beta.6

2023.11.0-beta.7

2023.11.0-beta.8

2023.11.0-beta.9

2023.11.1-beta.1

2023.11.1-beta.2

2023.12.0-beta.1

2023.12.0-beta.2

2023.12.0-beta.3

2023.12.0-beta.4

2023.12.0-beta.5

2023.12.0-beta.6

2023.9.0-beta.1

2023.9.0-beta.10

2023.9.0-beta.11

2023.9.0-beta.2

2023.9.0-beta.3

2023.9.0-beta.4

2023.9.0-beta.5

2023.9.0-beta.6

2023.9.0-beta.7

2023.9.0-beta.8

2023.9.0-beta.9

2023.9.0-rc.1

2023.9.0-rc.2

2023.9.0-rc.3

2023.9.0-rc.4

2024.*

2024.10.0

2024.10.0-alpha.0

2024.10.0-alpha.1

2024.10.0-beta.2

2024.10.0-beta.3

2024.10.0-beta.4

2024.10.0-beta.5

2024.10.0-beta.6

2024.10.1

2024.10.1-alpha.0

2024.10.1-beta.1

2024.10.1-beta.2

2024.10.1-beta.3

2024.10.1-beta.4

2024.10.1-beta.5

2024.10.1-beta.6

2024.10.2-alpha.0

2024.10.2-alpha.1

2024.10.2-alpha.2

2024.11.0-alpha.1

2024.11.0-alpha.2

2024.11.0-alpha.3

2024.11.0-beta.4

2024.2.0-beta.1

2024.2.0-beta.10

2024.2.0-beta.12

2024.2.0-beta.13

2024.2.0-beta.2

2024.2.0-beta.3

2024.2.0-beta.4

2024.2.0-beta.5

2024.2.0-beta.6

2024.2.0-beta.7

2024.2.0-beta.8

2024.2.0-beta.9

2024.7.0

2024.7.0-beta.0

2024.7.0-beta.1

2024.7.0-beta.2

2024.7.0-beta.3

2024.7.0-rc.4

2024.7.0-rc.5

2024.7.0-rc.6

2024.7.0-rc.7

2024.7.0-rc.8

2024.8.0

2024.8.0-alpha.0

2024.8.0-alpha.1

2024.8.0-beta.2

2024.8.0-rc.3

2024.8.0-rc.4

2024.8.0-rc.5

2024.9.0

2024.9.0-alpha.0

2024.9.0-alpha.1

2024.9.0-alpha.10

2024.9.0-alpha.11

2024.9.0-alpha.12

2024.9.0-alpha.13

2024.9.0-alpha.2

2024.9.0-alpha.3

2024.9.0-alpha.4

2024.9.0-alpha.5

2024.9.0-alpha.6

2024.9.0-alpha.7

2024.9.0-alpha.8

2024.9.0-alpha.9

2024.9.0-beta.14

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-52592.json"