Lucene search

[email protected]CVE-2023-36459

HistoryJul 06, 2023 - 7:15 p.m.

CVE-2023-36459

2023-07-0619:15:10

CWE-79

[email protected]

web.nvd.nist.gov

mastodon

social network

server

xss

vulnerability

html sanitization

oembed

cross-site scripting

nvd

cve-2023-36459

9.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

6.1 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.7%

JSON

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. This introduces a vector for cross-site scripting (XSS) payloads that can be rendered in the user’s browser when a preview card for a malicious link is clicked through. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.

Affected configurations

Vulners

NVD

Node

mastodonmastodonRange1.3–3.5.9

mastodonmastodonRange4.0.0–4.0.5

mastodonmastodonRange4.1.0–4.1.3

CPENameOperatorVersion
joinmastodon:mastodonjoinmastodon mastodonlt3.5.9
joinmastodon:mastodonjoinmastodon mastodonlt4.0.5
joinmastodon:mastodonjoinmastodon mastodonlt4.1.3

CPE	Name	Operator	Version
joinmastodon:mastodon	joinmastodon mastodon	lt	3.5.9
joinmastodon:mastodon	joinmastodon mastodon	lt	4.0.5
joinmastodon:mastodon	joinmastodon mastodon	lt	4.1.3

CNA Affected

[
  {
    "vendor": "mastodon",
    "product": "mastodon",
    "versions": [
      {
        "version": ">= 1.3, < 3.5.9",
        "status": "affected"
      },
      {
        "version": ">= 4.0.0, < 4.0.5",
        "status": "affected"
      },
      {
        "version": ">= 4.1.0, < 4.1.3",
        "status": "affected"
      }
    ]
  }
]