Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. This introduces a vector for cross-site scripting (XSS) payloads that can be rendered in the user's browser when a preview card for a malicious link is clicked through. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
History

Thu, 14 Nov 2024 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-07-06T18:29:07.669Z

Updated: 2024-11-14T14:07:24.022Z

Reserved: 2023-06-21T18:50:41.699Z

Link: CVE-2023-36459

cve-icon Vulnrichment

Updated: 2024-08-02T16:45:57.102Z

cve-icon NVD

Status : Modified

Published: 2023-07-06T19:15:10.727

Modified: 2024-11-21T08:09:45.380

Link: CVE-2023-36459

cve-icon Redhat

No data.