Lucene search

PRIOn knowledge basePRION:CVE-2023-36459

HistoryJul 06, 2023 - 7:15 p.m.

Cross site scripting

2023-07-0619:15:00

PRIOn knowledge base

www.prio-n.com

mastodon

xss

vulnerability

patch

html

oembed

browser

security

open-source

0.001 Low

EPSS

Percentile

30.8%

JSON

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. This introduces a vector for cross-site scripting (XSS) payloads that can be rendered in the user’s browser when a preview card for a malicious link is clicked through. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.

CPENameOperatorVersion
mastodonge4.0.0
mastodonlt4.0.5
mastodonge4.1.0
mastodonlt4.1.3
mastodonge1.3
mastodonlt3.5.9

Name	Operator	Version
mastodon	ge	4.0.0
mastodon	lt	4.0.5
mastodon	ge	4.1.0
mastodon	lt	4.1.3
mastodon	ge	1.3
mastodon	lt	3.5.9

References

www.openwall.com/lists/oss-security/2023/07/06/5

github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2

github.com/mastodon/mastodon/releases/tag/v3.5.9

github.com/mastodon/mastodon/releases/tag/v4.0.5

github.com/mastodon/mastodon/releases/tag/v4.1.3

github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp

0.001 Low

EPSS

Percentile

30.8%

JSON

Related for PRION:CVE-2023-36459