Mastodon, a popular decentralized social network, has released a security update to fix a critical vulnerability that could expose millions of users to potential attacks.
Mastodon is known for its federated model, which consists of thousands of separate servers called “instances”, and has more than 14 million users across more than 20,000 instances.
most critical vulnerability, CVE-2023-36460allows hackers to exploit weaknesses in the media attachment feature, creating and overwriting files in any location the software can access instantly.
These software vulnerabilities could be used for DoS and arbitrary remote code execution attacks, posing a significant threat to users and the wider Internet ecosystem.
If an attacker gains control of multiple instances, they can cause damage by instructing the user to download a malicious application or even destroy the entire Mastodon infrastructure. Fortunately, so far there is no evidence of this vulnerability being exploited.
The critical flaw was discovered as part of a comprehensive penetration testing initiative funded by the Mozilla Foundation and conducted by Cure53.
Patch release recently overcome five vulnerabilities, including another important issue tracked as CVE-2023-36459. This vulnerability allowed an attacker to inject arbitrary HTML into the oEmbed preview card, bypassing Mastodon’s HTML sanitization process.
As a result, it introduces a vector for Cross-Site Scripting (XSS) payloads that can execute malicious code when a user clicks on a preview card associated with a malicious link.
🔐 Privileged Access Management: Learn How to Beat Key Challenges
Discover different approaches to conquering Privileged Account Management (PAM) challenges and enhance your privileged access security strategy.
The other three vulnerabilities are classified as high and moderate severity. They included “Blind LDAP injection in login”, which allowed an attacker to extract arbitrary attributes from an LDAP database, “Denial of Service over slow HTTP response”, and formatting issues with “Verified profile link”. Each of these weaknesses poses a different level of risk to Mastodon users.
To protect themselves, Mastodon users simply need to ensure that their subscribed instances have the necessary updates installed promptly.