Jul 07, 2023Swati KhandelwalVulnerability / Social Media
Mastodon, a popular decentralized social network, has released a security update to fix critical vulnerabilities that could expose millions of users to potential attacks.
Mastodon is known for its federated model, consisting of thousands of separate servers called "instances," and it has over 14 million users across more than 20,000 instances.
The most critical vulnerability, CVE-2023-36460, allows hackers to exploit a flaw in the media attachments feature, creating and overwriting files in any location the software could access on an instance.
This software vulnerability could be used for DoS and arbitrary remote code execution attacks, posing a significant threat to users and the broader Internet ecosystem.
If an attacker gains control over multiple instances, they could cause harm by instructing users to download malicious applications or even bring down the entire Mastodon infrastructure. Fortunately, there is no evidence of this vulnerability being exploited so far.
The critical flaw was discovered as part of a comprehensive penetration testing initiative funded by the Mozilla Foundation and conducted by Cure53.
The recent patch release addressed five vulnerabilities, including another critical issue tracked as CVE-2023-36459. This vulnerability could allow attackers to inject arbitrary HTML into oEmbed preview cards, bypassing Mastodon's HTML sanitization process.
Consequently, this introduced a vector for Cross-Site Scripting (XSS) payloads that could execute malicious code when users clicked on preview cards associated with malicious links.
The remaining three vulnerabilities were classified as high and medium severity. They included "Blind LDAP injection in login," which allowed attackers to extract arbitrary attributes from the LDAP database, "Denial of Service through slow HTTP responses," and a formatting issue with "Verified profile links." Each of these flaws posed different levels of risk to Mastodon users.
To protect themselves, Mastodon users only need to ensure that their subscribed instance has installed the necessary updates promptly.
from The Hacker News https://bit.ly/44RSUTh