July 7, 2023swati kanderwalVulnerability / Social Media

Mastodon, a popular decentralized social network, has released a security update that fixes a critical vulnerability that could expose millions of users to potential attacks.

Mastodon is known for its federated model consisting of thousands of individual servers called “instances”, with over 14 million users on over 20,000 instances.

the most critical vulnerabilities, CVE-2023-36460allows hackers to exploit flaws in the media attachment functionality to create and overwrite files anywhere the software can access them on the instance.

Vulnerabilities in this software can be exploited for DoS attacks and arbitrary remote code execution attacks, posing a significant threat to users and the broader Internet ecosystem.

If an attacker gains control over multiple instances, they could instruct a user to download a malicious application or bring down the entire Mastodon infrastructure. Fortunately, there is no evidence that this vulnerability has been exploited so far.

This critical flaw was discovered as part of a comprehensive penetration testing initiative funded by the Mozilla Foundation and conducted by Cure53.

Recent patch releases Addressed 5 vulnerabilitiesThis includes another critical issue tracked as CVE-2023-36459. This vulnerability could allow an attacker to bypass Mastodon’s HTML sanitization process and inject arbitrary HTML into the oEmbed preview card.

As a result, we have introduced a vector of cross-site scripting (XSS) payloads that can execute malicious code when a user clicks on a preview card associated with a malicious link.

upcoming webinars

🔐 Privileged Access Management: Learn How to Overcome Key Challenges

Discover different approaches to overcoming the challenges of privileged account management (PAM) and leveling up your privileged access security strategy.

reserve a spot

The remaining three vulnerabilities were classified as high and medium severity. These include “blind LDAP injection at login” that allows an attacker to extract arbitrary attributes from her LDAP database, “denial of service due to slow HTTP responses”, and formatting issues with “verified profile links”. It is included. Each of these flaws presented different levels of risk to Mastodon users.

To protect themselves, Mastodon users simply need to ensure that their subscribed instances have the necessary updates installed immediately.

Did you enjoy this article? Follow us twitter and LinkedIn To read more of the exclusive content we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog