Summary
Missing validation in NoteCreateService.insertNote
, ApPersonService.createPerson
, and ApPersonService.updatePerson
allows an attacker to control the target of any "origin" links (such as the "view on remote instance" banner). Any HTTPS URL can be set, even if it belongs to a different domain than the note / user.
Impact
Vulnerable Misskey instances will use the unverified URL for several clickable links, allowing an attacker to conduct phishing or other attacks against remote users.
Summary
Missing validation in
NoteCreateService.insertNote
,ApPersonService.createPerson
, andApPersonService.updatePerson
allows an attacker to control the target of any "origin" links (such as the "view on remote instance" banner). Any HTTPS URL can be set, even if it belongs to a different domain than the note / user.Impact
Vulnerable Misskey instances will use the unverified URL for several clickable links, allowing an attacker to conduct phishing or other attacks against remote users.