Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, attackers using carefully crafted media files can cause Mastodon's media processing code to create arbitrary files at any location. This allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HJoinmastodon Mastodon
APPJoinmastodon3.5.0 – 3.5.9 (bez)4.0.0 – 4.0.5 (bez)4.1.0 – 4.1.3 (bez)
Related vulnerabilities
Mastodon: Podszywanie się pod zdalne konta poprzez brak walidacji origin
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior ...
Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0....
Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming...
Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.