CVE-2023-36462

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appear to link to a different URL altogether. The link is visually misleading, but clicking on it will reveal the actual link. This can still be used for phishing, though, similar to IDN homograph attacks. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*
cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*
cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*

History

13 Jul 2023, 19:27

Type Values Removed Values Added
References (MISC) https://github.com/mastodon/mastodon/releases/tag/v4.1.3 - (MISC) https://github.com/mastodon/mastodon/releases/tag/v4.1.3 - Release Notes
References (MISC) https://github.com/mastodon/mastodon/releases/tag/v4.0.5 - (MISC) https://github.com/mastodon/mastodon/releases/tag/v4.0.5 - Release Notes
References (MISC) https://github.com/mastodon/mastodon/commit/610731b03dfcadd887078cb0399f4e514aa1931c - (MISC) https://github.com/mastodon/mastodon/commit/610731b03dfcadd887078cb0399f4e514aa1931c - Patch
References (MISC) https://github.com/mastodon/mastodon/releases/tag/v3.5.9 - (MISC) https://github.com/mastodon/mastodon/releases/tag/v3.5.9 - Release Notes
References (MISC) https://github.com/mastodon/mastodon/security/advisories/GHSA-55j9-c3mp-6fcq - (MISC) https://github.com/mastodon/mastodon/security/advisories/GHSA-55j9-c3mp-6fcq - Vendor Advisory
CPE cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*
First Time Joinmastodon mastodon
Joinmastodon
CWE CWE-20 NVD-CWE-noinfo
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.4

06 Jul 2023, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-07-06 20:15

Updated : 2024-02-28 20:13


NVD link : CVE-2023-36462

Mitre link : CVE-2023-36462

CVE.ORG link : CVE-2023-36462


JSON object : View

Products Affected

joinmastodon

  • mastodon
CWE
NVD-CWE-noinfo CWE-20

Improper Input Validation