Mastodon Security Vulnerabilities and Issues — Mastodon CVE List

Lucene search

JoinmastodonMastodon

9 matches found

CVE•added 2023/07/06 7:15 p.m.•163 views

CVE-2023-36460

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, attackers using carefully crafted media files can cause Mastodon's media processing code to create arbitrary files at any location. This allows attack...

9.9CVSS9.7AI score0.34243EPSS

CVE•added 2023/03/06 2:15 p.m.•46 views

CVE-2022-48364

The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server's representative account, resulting in moderator identity disclosure when a moderator approves the appeal of a user whose status update was marked as sensitive...

4.3CVSS4.5AI score0.00075EPSS

CVE•added 2023/07/06 7:15 p.m.•43 views

CVE-2023-36459

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview card...

9.3CVSS7.2AI score0.00165EPSS

CVE•added 2023/09/19 4:15 p.m.•42 views

CVE-2023-42452

Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing unescaped HTML to exe...

6.1CVSS5.9AI score0.00476EPSS

CVE•added 2023/07/06 7:15 p.m.•37 views

CVE-2023-36461

Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowlo...

7.5CVSS7.5AI score0.00163EPSS

CVE•added 2023/09/19 4:15 p.m.•36 views

CVE-2023-42450

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused deputy attacks if t...

7.5CVSS6.4AI score0.0028EPSS

CVE•added 2023/09/19 4:15 p.m.•32 views

CVE-2023-42451

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 ...

7.5CVSS7.3AI score0.00174EPSS

CVE•added 2023/04/04 10:15 p.m.•30 views

CVE-2023-28853

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection atta...

7.7CVSS6.8AI score0.00433EPSS

CVE•added 2023/07/06 8:15 p.m.•27 views

CVE-2023-36462

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appear to link to a dif...

5.4CVSS5.8AI score0.01525EPSS