Mastodon Social Network Patches Critical Flaws Allowing Server Takeover

Mastodon Social Network

Mastodon, a popular decentralized social network, has released a security update to fix critical vulnerabilities that could expose millions of users to potential attacks.

Mastodon is known for its federated model, consisting of thousands of separate servers called “instances,” and it has over 14 million users across more than 20,000 instances.

The most critical vulnerability, CVE-2023-36460, allows hackers to exploit a flaw in the media attachments feature, creating and overwriting files in any location the software could access on an instance.

This software vulnerability could be used for DoS and arbitrary remote code execution attacks, posing a significant threat to users and the broader Internet ecosystem.

If an attacker gains control over multiple instances, they could cause harm by instructing users to download malicious applications or even bring down the entire Mastodon infrastructure. Fortunately, there is no evidence of this vulnerability being exploited so far.

The critical flaw was discovered as part of a comprehensive penetration testing initiative funded by the Mozilla Foundation and conducted by Cure53.

The recent patch release addressed five vulnerabilities, including another critical issue tracked as CVE-2023-36459. This vulnerability could allow attackers to inject arbitrary HTML into oEmbed preview cards, bypassing Mastodon’s HTML sanitization process.

Consequently, this introduced a vector for Cross-Site Scripting (XSS) payloads that could execute malicious code when users clicked on preview cards associated with malicious links.

UPCOMING WEBINAR
🔐 Privileged Access Management: Learn How to Conquer Key Challenges

Discover different approaches to conquer Privileged Account Management (PAM) challenges and level up your privileged access security strategy.

Learn, Connect, Grow

The remaining three vulnerabilities were classified as high and medium severity. They included “Blind LDAP injection in login,” which allowed attackers to extract arbitrary attributes from the LDAP database, “Denial of Service through slow HTTP responses,” and a formatting issue with “Verified profile links.” Each of these flaws posed different levels of risk to Mastodon users.

To protect themselves, Mastodon users only need to ensure that their subscribed instance has installed the necessary updates promptly.



Original Source



A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

 To keep up to date follow us on the below channels.