Mastodon vulnerable to Stored XSS through the translation feature
CVE-2023-42452

6.1MEDIUM

Key Information:

Vendor: Mastodon
Status: Mastodon
Vendor: CVE Published:; 19 September 2023

What is CVE-2023-42452?

Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing unescaped HTML to execute in the browser. The impact is limited thanks to Mastodon's strict Content Security Policy, blocking inline scripts, etc. However a CSP bypass or loophole could be exploited to execute malicious XSS. Furthermore, it requires user interaction, as this can only occur upon clicking the “Translate” button on a malicious post. Versions 4.0.10, 4.2.8, and 4.2.0-rc2 contain a patch for this issue.

Affected Version(s)

mastodon >= 4.0.0, < 4.0.10 < 4.0.0, 4.0.10

mastodon >= 4.1.0, < 4.1.8 < 4.1.0, 4.1.8

mastodon >= 4.2.0-beta1, < 4.2.0-rc2 < 4.2.0-beta1, 4.2.0-rc2

References

https://github.com/mastodon/mastodon/security/advisories/...

x_refsource_CONFIRM

https://github.com/mastodon/mastodon/commit/ff32475f5f4a8...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 19, 2023
Vulnerability Reserved
Sep 8, 2023

JSON