Mastodon, a popular decentralized social network, has released a security update that fixes a critical vulnerability that could expose millions of users to potential attacks.
Mastodon is known for its federated model consisting of thousands of individual servers called “instances”, with over 14 million users on over 20,000 instances.
The most severe vulnerability, CVE-2023-36460, allows hackers to exploit flaws in the media attachment functionality to create and overwrite files anywhere software can access on the instance.
Vulnerabilities in this software can be exploited for DoS attacks and arbitrary remote code execution attacks, posing a significant threat to users and the broader Internet ecosystem.
If an attacker gains control over multiple instances, they could instruct a user to download a malicious application or bring down the entire Mastodon infrastructure. Fortunately, there is no evidence that this vulnerability has been exploited so far.
This critical flaw was discovered as part of a comprehensive penetration testing initiative funded by the Mozilla Foundation and conducted by Cure53.
Recent patch releases addressed five vulnerabilities, including another critical issue tracked as CVE-2023-36459. This vulnerability could allow an attacker to bypass her Mastodon’s HTML sanitization process and inject arbitrary HTML into the oEmbed preview card.
As a result, we have introduced a vector of cross-site scripting (XSS) payloads that can execute malicious code when a user clicks on a preview card associated with a malicious link.
🔐 Privileged Access Management: Learn How to Overcome Key Challenges
Discover different approaches to overcoming the challenges of privileged account management (PAM) and leveling up your privileged access security strategy.
reserve a spot
The remaining three vulnerabilities were classified as high and medium severity. These include “blind LDAP injection at login” that allows an attacker to extract arbitrary attributes from her LDAP database, “denial of service due to slow HTTP responses”, and “verified profile link” formatting issues. It is included. Each of these flaws presented different levels of risk to Mastodon users.
To protect themselves, Mastodon users simply need to ensure that their subscribed instances have the necessary updates installed immediately.
