Lucene search

GitHub_MCVE-2023-42452

HistorySep 19, 2023 - 4:15 p.m.

CVE-2023-42452

2023-09-1916:15:13

CWE-79

GitHub_M

web.nvd.nist.gov

mastodon

social network

server

xss

html sanitization

security policy

cve-2023-42452

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

5.5

Confidence

High

EPSS

0.001

Percentile

21.7%

JSON

Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing unescaped HTML to execute in the browser. The impact is limited thanks to Mastodon’s strict Content Security Policy, blocking inline scripts, etc. However a CSP bypass or loophole could be exploited to execute malicious XSS. Furthermore, it requires user interaction, as this can only occur upon clicking the “Translate” button on a malicious post. Versions 4.0.10, 4.2.8, and 4.2.0-rc2 contain a patch for this issue.

Affected configurations

Nvd

Vulners

Node

joinmastodonmastodonRange4.0.0–4.0.10

joinmastodonmastodonRange4.1.0–4.1.8

joinmastodonmastodonMatch4.2.0beta1

joinmastodonmastodonMatch4.2.0beta2

joinmastodonmastodonMatch4.2.0beta3

joinmastodonmastodonMatch4.2.0rc1

VendorProductVersionCPE
joinmastodonmastodon*cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*
joinmastodonmastodon4.2.0cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta1:*:*:*:*:*:*
joinmastodonmastodon4.2.0cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta2:*:*:*:*:*:*
joinmastodonmastodon4.2.0cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta3:*:*:*:*:*:*
joinmastodonmastodon4.2.0cpe:2.3:a:joinmastodon:mastodon:4.2.0:rc1:*:*:*:*:*:*

Vendor	Product	Version	CPE
joinmastodon	mastodon	*	cpe:2.3:a:joinmastodon:mastodon::::::::
joinmastodon	mastodon	4.2.0	cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta1::::::
joinmastodon	mastodon	4.2.0	cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta2::::::
joinmastodon	mastodon	4.2.0	cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta3::::::
joinmastodon	mastodon	4.2.0	cpe:2.3:a:joinmastodon:mastodon:4.2.0:rc1::::::

CNA Affected

[
  {
    "vendor": "mastodon",
    "product": "mastodon",
    "versions": [
      {
        "version": ">= 4.0.0, < 4.0.10",
        "status": "affected"
      },
      {
        "version": ">= 4.1.0, < 4.1.8",
        "status": "affected"
      },
      {
        "version": ">= 4.2.0-beta1, < 4.2.0-rc2",
        "status": "affected"
      }
    ]
  }
]

References

github.com/mastodon/mastodon/commit/ff32475f5f4a84ebf9619e7eef5bf8b4c075d0e2

github.com/mastodon/mastodon/security/advisories/GHSA-2693-xr3m-jhqr

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

5.5

Confidence

High

EPSS

0.001

Percentile

21.7%

JSON

Related for CVE-2023-42452