CVE-2023-49095

nexkey is a microblogging platform. Insufficient validation of ActivityPub requests received in inbox could allow any user to impersonate another user in certain circumstances. This issue has been patched in version 12.122.2.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/nexryai/nexkey/commit/b96da0eac5a1e75abba94cf926f1251842829bab	Patch
https://github.com/nexryai/nexkey/security/advisories/GHSA-fpxw-rw9v-2gmx	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:nexryai:nexkey:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2023-11-30 07:15

Updated : 2023-12-05 17:31

NVD link : CVE-2023-49095

Mitre link : CVE-2023-49095

CVE.ORG link : CVE-2023-49095

JSON object : View

Products Affected

nexryai

nexkey

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2023-49095", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 3.9}]}, "published": "2023-11-30T07:15:09.133", "references": [{"url": "https://github.com/nexryai/nexkey/commit/b96da0eac5a1e75abba94cf926f1251842829bab", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nexryai/nexkey/security/advisories/GHSA-fpxw-rw9v-2gmx", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "nexkey is a microblogging platform. Insufficient validation of ActivityPub requests received in inbox could allow any user to impersonate another user in certain circumstances. This issue has been patched in version 12.122.2."}, {"lang": "es", "value": "nexkey es una plataforma de microblogging. Una validaci\u00f3n insuficiente de las solicitudes de ActivityPub recibidas en la bandeja de entrada podr\u00eda permitir que cualquier usuario se haga pasar por otro usuario en determinadas circunstancias. Este problema se solucion\u00f3 en la versi\u00f3n 12.122.2."}], "lastModified": "2023-12-05T17:31:04.357", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nexryai:nexkey:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "0A765E23-8158-4CD7-ACF2-66ECF9A3FA1E", "versionEndExcluding": "12.122.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}