CVE-2023-24812: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

February 22, 2023 (updated April 10, 2023)

Misskey is an open source, decentralized social media platform. In versions prior to 13.3.3 SQL injection is possible due to insufficient parameter validation in the note search API by tag (notes/search-by-tag). This has been fixed in version 13.3.3. Users are advised to upgrade. Users unable to upgrade should block access to the api/notes/search-by-tag endpoint.

References

github.com/misskey-dev/misskey/commit/ee74df68233adcd5b167258c621565f97c3b2306
github.com/misskey-dev/misskey/security/advisories/GHSA-cgwp-vmr4-wx4q
nvd.nist.gov/vuln/detail/CVE-2023-24812

Detect and mitigate CVE-2023-24812 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →