CVE-2023-36459

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. This introduces a vector for cross-site scripting (XSS) payloads that can be rendered in the user's browser when a preview card for a malicious link is clicked through. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2023/07/06/5	Mailing List
https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2	Patch Third Party Advisory
https://github.com/mastodon/mastodon/releases/tag/v3.5.9	Third Party Advisory
https://github.com/mastodon/mastodon/releases/tag/v4.0.5	Third Party Advisory
https://github.com/mastodon/mastodon/releases/tag/v4.1.3	Third Party Advisory
https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:joinmastodon:mastodon::::::::
	cpe:2.3:a:joinmastodon:mastodon::::::::
	cpe:2.3:a:joinmastodon:mastodon::::::::

History

No history.

Information

Published : 2023-07-06 19:15

Updated : 2023-07-14 19:33

NVD link : CVE-2023-36459

Mitre link : CVE-2023-36459

CVE.ORG link : CVE-2023-36459

JSON object : View

Products Affected

joinmastodon

mastodon

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2023-36459", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.8}]}, "published": "2023-07-06T19:15:10.727", "references": [{"url": "http://www.openwall.com/lists/oss-security/2023/07/06/5", "tags": ["Mailing List"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. This introduces a vector for cross-site scripting (XSS) payloads that can be rendered in the user's browser when a preview card for a malicious link is clicked through. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue."}], "lastModified": "2023-07-14T19:33:36.027", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B812C873-88F0-4897-B42C-A67FA6EBB394", "versionEndExcluding": "3.5.9", "versionStartIncluding": "1.3"}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "51150E6A-F99E-4905-A464-2BAC2B1C36C3", "versionEndExcluding": "4.0.5", "versionStartIncluding": "4.0.0"}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8AB4CC5C-A9AE-4CD1-8912-B570E2F6E170", "versionEndExcluding": "4.1.3", "versionStartIncluding": "4.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}