CRITICAL🇵🇱 Wersja polska

CVE-2023-36459

CVSS 9.3v3.1pub. 2023-07-06upd. 2024-11-21

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. This introduces a vector for cross-site scripting (XSS) payloads that can be rendered in the user's browser when a preview card for a malicious link is clicked through. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
  • Joinmastodon Mastodon

    APP
    Joinmastodon
    1.3 – 3.5.9 (bez)4.0.0 – 4.0.5 (bez)4.1.0 – 4.1.3 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSS
CWE
References

Related vulnerabilities

CVE-2024-23832CRITICAL9.4PL ✓ten sam produkt

Mastodon: Podszywanie się pod zdalne konta poprzez brak walidacji origin

CVE-2023-36460CRITICAL9.9ten sam produkt

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prio...

CVE-2022-2166CRITICAL9.8ten sam produkt

Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0....

CVE-2022-24307CRITICAL9.8ten sam produkt

Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming...

CVE-2018-21018CRITICAL9.8ten sam produkt

Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.