CVE-2023-36459: Mastodon vulnerable to Cross-site Scripting through oEmbed preview cards
First published: Thu Jul 06 2023(Updated: )
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. This introduces a vector for cross-site scripting (XSS) payloads that can be rendered in the user's browser when a preview card for a malicious link is clicked through. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mastodon | >=1.3<3.5.9 | |
| Mastodon | >=4.0.0<4.0.5 | |
| Mastodon | >=4.1.0<4.1.3 | |
| Mastodon | =3.5.16 | |
| Mastodon | =4.0.x | |
| Mastodon | =4.1.x | |
| Mastodon | =4.2.x |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2023/07/06/5
- https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2
- https://github.com/mastodon/mastodon/releases/tag/v3.5.9
- https://github.com/mastodon/mastodon/releases/tag/v4.0.5
- https://github.com/mastodon/mastodon/releases/tag/v4.1.3
- https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp
- https://www.theregister.com/2024/02/02/critical_vulnerability_in_mastodon_is/
Frequently Asked Questions
What is CVE-2023-36459?
CVE-2023-36459 is a vulnerability in Mastodon, a free open-source social network server, that allows an attacker to bypass HTML sanitization and include arbitrary HTML in oEmbed preview cards.
What is the severity of CVE-2023-36459?
CVE-2023-36459 has a severity level of 6.1, which is considered critical.
How does CVE-2023-36459 affect Mastodon?
CVE-2023-36459 affects Mastodon versions 1.3 to 3.5.9, 4.0.0 to 4.0.5, and 4.1.0 to 4.1.3.
What can an attacker do with CVE-2023-36459?
An attacker can use carefully crafted oEmbed data to bypass HTML sanitization and include arbitrary HTML in oEmbed preview cards, potentially leading to further attacks.
How can I fix CVE-2023-36459?
To fix CVE-2023-36459, update Mastodon to version 3.5.9, 4.0.5, or 4.1.3 or later.
- agent/type
- collector/the-register
- source/The Register
- alias/CVE-2024-23832
- alias/CVE-2023-36460
- alias/CVE-2023-36459
- agent/weakness
- agent/references
- agent/remedy
- agent/softwarecombine
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/title
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/news-ai
- agent/software-canonical-lookup
- vendor/joinmastodon
- canonical/mastodon
- version/mastodon/1.3
- version/mastodon/4.0.0
- version/mastodon/4.1.0
- vendor/mastodon
- version/mastodon/3.5.16
- version/mastodon/4.0.x
- version/mastodon/4.1.x
- version/mastodon/4.2.x