Mastodon's verified profile links can be formatted in a misleading way
CVE-2023-36462

5.4MEDIUM

Key Information:

Vendor

Mastodon

Status
Mastodon
Vendor
CVE Published:
6 July 2023

What is CVE-2023-36462?

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appear to link to a different URL altogether. The link is visually misleading, but clicking on it will reveal the actual link. This can still be used for phishing, though, similar to IDN homograph attacks. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.

Affected Version(s)

mastodon >= 2.6.0, < 3.5.9 < 2.6.0, 3.5.9

mastodon >= 4.0.0, < 4.0.5 < 4.0.0, 4.0.5

mastodon >= 4.1.0, < 4.1.3 < 4.1.0, 4.1.3

References

https://github.com/mastodon/mastodon/security/advisories/...
x_refsource_CONFIRM
https://github.com/mastodon/mastodon/commit/610731b03dfca...
x_refsource_MISC
https://github.com/mastodon/mastodon/releases/tag/v3.5.9
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.