CVE-2023-36462
published 2023-07-06CVE-2023-36462: Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an…
PriorityP428medium5.4CVSS 3.1
AVNACLPRNUIRSUCLILAN
EPSS
0.53%
40.6th percentile
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appear to link to a different URL altogether. The link is visually misleading, but clicking on it will reveal the actual link. This can still be used for phishing, though, similar to IDN homograph attacks. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joinmastodon | mastodon | >= 2.6.0 < 3.5.9 | 3.5.9 |
| joinmastodon | mastodon | >= 4.0.0 < 4.0.5 | 4.0.5 |
| joinmastodon | mastodon | >= 4.1.0 < 4.1.3 | 4.1.3 |
| mastodon | mastodon | — | — |
| mastodon | mastodon | — | — |
| mastodon | mastodon | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/mastodon/mastodon/commit/610731b03dfcadd887078cb0399f4e514aa1931chttps://github.com/mastodon/mastodon/releases/tag/v3.5.9https://github.com/mastodon/mastodon/releases/tag/v4.0.5https://github.com/mastodon/mastodon/releases/tag/v4.1.3https://github.com/mastodon/mastodon/security/advisories/GHSA-55j9-c3mp-6fcqhttps://github.com/mastodon/mastodon/commit/610731b03dfcadd887078cb0399f4e514aa1931chttps://github.com/mastodon/mastodon/releases/tag/v3.5.9https://github.com/mastodon/mastodon/releases/tag/v4.0.5https://github.com/mastodon/mastodon/releases/tag/v4.1.3https://github.com/mastodon/mastodon/security/advisories/GHSA-55j9-c3mp-6fcq
2023-07-06
Published