Social media challenger Mastodon has issued a fix for new fewer than five security vulnerabilities, the majority of which categorized as high or critical severity.
The flaws include CVE-2023-36460, which could have allowed an attacker to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution. The update confirms that versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this vulnerability.
Despite a brief overview, few details have been confirmed about the vulnerability. It is believed that an attacker might have been able to spread malware using the vulnerability, but it’s so far unclear whether there has been an active exploit.
Mastodon security patches
The description for another vulnerability, known as CVE-2023-36462, reads: “An attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appear to link to a different URL altogether.” This was considered to have the least severe consequences, marked as moderate.
Through this, an attacker might have been able to reformat URLs to mask the fact that they were instead redirecting to phishing campaigns or malware sites.
Further high and critical issues fixed include a slowloris-type Denial of Service attack vulnerability, cross-site scripting (XSS) attacks, and the potential for an attacker to leak arbitrary attributes from the LDAP database.
While Mastodon is responsible for issuing the fixes, Cure53 has been credited with the penetration testing, with thanks to funding from the Mozilla Foundation.
This comes at a time when Mastodon continues to attract new social media users as Twitter users look to abandon the once Musk-led platform. With new CEO Linda Yaccarino at the helm, positive changes are yet to materialize. At the same time, Meta’s new Threads platform is trying to sweep up ex-Twitter users.
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba