CVE-2023-36460
published 2023-07-06CVE-2023-36460: Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, attackers…
PriorityP273critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
37.26%
98.3th percentile
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, attackers using carefully crafted media files can cause Mastodon's media processing code to create arbitrary files at any location. This allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joinmastodon | mastodon | >= 3.5.0 < 3.5.9 | 3.5.9 |
| joinmastodon | mastodon | >= 4.0.0 < 4.0.5 | 4.0.5 |
| joinmastodon | mastodon | >= 4.1.0 < 4.1.3 | 4.1.3 |
| mastodon | mastodon | — | — |
| mastodon | mastodon | — | — |
| mastodon | mastodon | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploitation of CVE-2023-36460 results in web shell creation on Mastodon server instances; monitor for unexpected new files written by the Mastodon process, especially in web-accessible directories. ↗
- →The vulnerability is triggered via crafted media file uploads; monitor Mastodon media processing for file creation events outside expected media storage paths. ↗
- →Successful exploitation allows arbitrary file creation/overwrite by the Mastodon process, enabling RCE and DoS; alert on file writes to sensitive paths (e.g., config, initializers, public) by the Mastodon service account. ↗
- ·Vulnerability affects Mastodon versions starting from 3.5.0; versions 3.5.9, 4.0.5, and 4.1.3 contain the patch. Detection efforts should focus on unpatched instances running versions 3.5.0–3.5.8, 4.0.0–4.0.4, and 4.1.0–4.1.2. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Mastodon vulnerability allows attackers to take over accounts
blogs_bleepingcomputer·2024-02-03·CVSS 9.4
[CRITICAL] Mastodon vulnerability allows attackers to take over accounts
## Mastodon vulnerability allows attackers to take over accounts
## Bill Toulas
Mastodon, the free and open-source decentralized social networking platform, has fixed a critical vulnerability that allows attackers to impersonate and take over any remote account.
The platform became popular after Elon Musk acquired Twitter and now boasts nearly 12 million users spread across 11,000 instances.
Instances (servers) on Mastodon are autonomous but interconnected (through a system known as "federation") communities that have their own guidelines and policies, controlled by owners who provide the infrastructure and act as administrators of their servers.
The newly fixed flaw is tracked as CVE-2024-23832 and stems from insufficient origin validation in Mastodon, allowing attackers to impersona
Checkpoint
10th July – Threat Intelligence Report
blogs_checkpoint·2023-07-10
CVE-2023-36934 10th July – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 10th July – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 10th July, please download our Threat_Intelligence Bulletin
TOP ATTACKS AND BREACHES
Japan’s Port of Nagoya, which handles 10% of Japan’s trade volume, has shut down its activity for 2 days after being hit by a ransomware attack. The port’s management attributed the attack to LockBit ransomware group.
Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.Lockbit
http://www.openwall.com/lists/oss-security/2023/07/06/4https://github.com/mastodon/mastodon/commit/dc8f1fbd976ae544720a4e07120d9a91b2722440https://github.com/mastodon/mastodon/releases/tag/v3.5.9https://github.com/mastodon/mastodon/releases/tag/v4.0.5https://github.com/mastodon/mastodon/releases/tag/v4.1.3https://github.com/mastodon/mastodon/security/advisories/GHSA-9928-3cp5-93fmhttp://www.openwall.com/lists/oss-security/2023/07/06/4https://github.com/mastodon/mastodon/commit/dc8f1fbd976ae544720a4e07120d9a91b2722440https://github.com/mastodon/mastodon/releases/tag/v3.5.9https://github.com/mastodon/mastodon/releases/tag/v4.0.5https://github.com/mastodon/mastodon/releases/tag/v4.1.3https://github.com/mastodon/mastodon/security/advisories/GHSA-9928-3cp5-93fm
2023-07-06
Published