Mastodon Social Network Patches Critical Flaws Allowing Server Takeover

Mastodon Social Network Patches Critical Flaws Allowing Server Takeover

Mastodon, a popular decentralized social network, has released a security update to fix critical vulnerabilities that could expose millions of users to potential attacks.

The most critical vulnerability, CVE-2023-36460, allows hackers to exploit a flaw in the media attachments feature, creating and overwriting files in any location the software could access on an instance.

This software vulnerability could be used for DoS and arbitrary remote code execution attacks, posing a significant threat to users and the broader Internet ecosystem.

The critical flaw was discovered as part of a comprehensive penetration testing initiative funded by the Mozilla Foundation and conducted by Cure53.

The recent patch release addressed five vulnerabilities, including another critical issue tracked as CVE-2023-36459. This vulnerability could allow attackers to inject arbitrary HTML into oEmbed preview cards, bypassing Mastodon’s HTML sanitization process.

The remaining three vulnerabilities were classified as high and medium severity. They included “Blind LDAP injection in login,” which allowed attackers to extract arbitrary attributes from the LDAP database, “Denial of Service through slow HTTP responses,” and a formatting issue with “Verified profile links.” Each of these flaws posed different levels of risk to Mastodon users.