Vulnerabilities (CVE)

Filtered by vendor Joinmastodon Subscribe
Filtered by product Mastodon
Total 27 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-36459 1 Joinmastodon 1 Mastodon 2024-11-21 N/A 9.3 CRITICAL
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. This introduces a vector for cross-site scripting (XSS) payloads that can be rendered in the user's browser when a preview card for a malicious link is clicked through. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
CVE-2023-28853 1 Joinmastodon 1 Mastodon 2024-11-21 N/A 7.7 HIGH
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2.
CVE-2022-31263 1 Joinmastodon 1 Mastodon 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions.
CVE-2022-2166 1 Joinmastodon 1 Mastodon 2024-11-21 N/A 9.8 CRITICAL
Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0.
CVE-2022-24307 1 Joinmastodon 1 Mastodon 2024-11-21 7.5 HIGH 9.8 CRITICAL
Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)
CVE-2022-0432 1 Joinmastodon 1 Mastodon 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0.
CVE-2018-21018 1 Joinmastodon 1 Mastodon 2024-11-21 7.5 HIGH 9.8 CRITICAL
Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.