Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. This introduces a vector for cross-site scripting (XSS) payloads that can be rendered in the user's browser when a preview card for a malicious link is clicked through. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
oryginał ENCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:NJoinmastodon Mastodon
APPJoinmastodon1.3 – 3.5.9 (bez)4.0.0 – 4.0.5 (bez)4.1.0 – 4.1.3 (bez)
Powiązane podatności
Mastodon: Podszywanie się pod zdalne konta poprzez brak walidacji origin
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prio...
Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0....
Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming...
Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.