oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2023-36459: mastodon: XSS through oEmbed preview cards

From: Jan Schaumann <jschauma () netmeister org>
Date: Thu, 6 Jul 2023 18:23:25 -0400
(I have no affiliation with the project, but posting
this here because it seems to me that increasingly
non-packaged / GitHub distributed projects tend not to
send out announcements here.)

https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp

(This advisory describes an issue found by Cure53 as
part of an audit performed at Mozilla's request)

Using carefully crafted oEmbed data, an attacker can
bypass the HTML sanitization performed by Mastodon and
include arbitrary HTML in oEmbed preview cards.

Impact
This introduces a vector for Cross-site-scripting
(XSS) payloads that can be rendered in the user's
browser when a preview card for a malicious link is
clicked through.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Severity: 9.3/10

CVE-2023-36459

Affected versions: >= 1.3
Patched versions:  4.1.3, 4.0.5, 3.5.9
Previous By Date Next
Previous By Thread Next

Current thread: