CVE-2023-36459 : Mastodon is a free, open-source social network server based on ActivityPub. Star

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. This introduces a vector for cross-site scripting (XSS) payloads that can be rendered in the user's browser when a preview card for a malicious link is clicked through. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.

Published 2023-07-06 19:15:11

Updated 2023-07-14 19:33:36

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2023-36459

Joinmastodon » Mastodon
Versions from including (>=) 4.0.0 and before (<) 4.0.5
cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*
Matching versions
Joinmastodon » Mastodon
Versions from including (>=) 4.1.0 and before (<) 4.1.3
cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*
Matching versions
Joinmastodon » Mastodon
Versions from including (>=) 1.3 and before (<) 3.5.9
cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-36459

EPSS FAQ

0.12%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 33 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-36459

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
9.3	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N	2.8	5.8	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2023-36459

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2023-36459

https://github.com/mastodon/mastodon/releases/tag/v3.5.9

Release v3.5.9 · mastodon/mastodon · GitHub
Third Party Advisory

CVEs referencing this url
https://github.com/mastodon/mastodon/releases/tag/v4.0.5

Release v4.0.5 · mastodon/mastodon · GitHub
Third Party Advisory

CVEs referencing this url
https://github.com/mastodon/mastodon/releases/tag/v4.1.3

Release v4.1.3 · mastodon/mastodon · GitHub
Third Party Advisory

CVEs referencing this url
https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2

Merge pull request from GHSA-ccm4-vgcc-73hp · mastodon/mastodon@6d8e0fa · GitHub
Patch;Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/07/06/5

oss-security - CVE-2023-36459: mastodon: XSS through oEmbed preview cards
Mailing List
https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp

XSS through oEmbed preview cards · Advisory · mastodon/mastodon · GitHub
Third Party Advisory

Jump to

Vulnerability Details : CVE-2023-36459

Products affected by CVE-2023-36459

Exploit prediction scoring system (EPSS) score for CVE-2023-36459

CVSS scores for CVE-2023-36459

CWE ids for CVE-2023-36459

References for CVE-2023-36459