Total
16 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-23832 | 1 Joinmastodon | 1 Mastodon | 2024-02-28 | N/A | 9.8 CRITICAL |
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account. Every Mastodon version prior to 3.5.17 is vulnerable, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5. | |||||
CVE-2023-42452 | 1 Joinmastodon | 1 Mastodon | 2024-02-28 | N/A | 5.4 MEDIUM |
Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing unescaped HTML to execute in the browser. The impact is limited thanks to Mastodon's strict Content Security Policy, blocking inline scripts, etc. However a CSP bypass or loophole could be exploited to execute malicious XSS. Furthermore, it requires user interaction, as this can only occur upon clicking the “Translate” button on a malicious post. Versions 4.0.10, 4.2.8, and 4.2.0-rc2 contain a patch for this issue. | |||||
CVE-2023-42451 | 1 Joinmastodon | 1 Mastodon | 2024-02-28 | N/A | 7.5 HIGH |
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue. | |||||
CVE-2023-42450 | 1 Joinmastodon | 1 Mastodon | 2024-02-28 | N/A | 7.5 HIGH |
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused deputy attacks if the server configuration includes `ALLOWED_PRIVATE_ADDRESSES` to allow access to local exploitable services. Version 4.2.0-rc2 has a patch for the issue. | |||||
CVE-2023-28853 | 1 Joinmastodon | 1 Mastodon | 2024-02-28 | N/A | 6.5 MEDIUM |
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2. | |||||
CVE-2023-36462 | 1 Joinmastodon | 1 Mastodon | 2024-02-28 | N/A | 5.4 MEDIUM |
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appear to link to a different URL altogether. The link is visually misleading, but clicking on it will reveal the actual link. This can still be used for phishing, though, similar to IDN homograph attacks. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue. | |||||
CVE-2023-36460 | 1 Joinmastodon | 1 Mastodon | 2024-02-28 | N/A | 9.9 CRITICAL |
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, attackers using carefully crafted media files can cause Mastodon's media processing code to create arbitrary files at any location. This allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue. | |||||
CVE-2023-36461 | 1 Joinmastodon | 1 Mastodon | 2024-02-28 | N/A | 7.5 HIGH |
Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue. | |||||
CVE-2023-36459 | 1 Joinmastodon | 1 Mastodon | 2024-02-28 | N/A | 6.1 MEDIUM |
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. This introduces a vector for cross-site scripting (XSS) payloads that can be rendered in the user's browser when a preview card for a malicious link is clicked through. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue. | |||||
CVE-2022-48364 | 1 Joinmastodon | 1 Mastodon | 2024-02-28 | N/A | 4.3 MEDIUM |
The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server's representative account, resulting in moderator identity disclosure when a moderator approves the appeal of a user whose status update was marked as sensitive. | |||||
CVE-2022-46405 | 1 Joinmastodon | 1 Mastodon | 2024-02-28 | N/A | 7.5 HIGH |
Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, such that there is uncontrolled recursion of attacker-generated messages. | |||||
CVE-2022-2166 | 1 Joinmastodon | 1 Mastodon | 2024-02-28 | N/A | 9.8 CRITICAL |
Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0. | |||||
CVE-2022-31263 | 1 Joinmastodon | 1 Mastodon | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions. | |||||
CVE-2022-0432 | 1 Joinmastodon | 1 Mastodon | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0. | |||||
CVE-2022-24307 | 1 Joinmastodon | 1 Mastodon | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.) | |||||
CVE-2018-21018 | 1 Joinmastodon | 1 Mastodon | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions. |