Home > Vulnerability Database > CVE-2023-36459

Mend.io Vulnerability Database

CVE-2023-36459

Good to know:

Date: July 6, 2023

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. This introduces a vector for cross-site scripting (XSS) payloads that can be rendered in the user's browser when a preview card for a malicious link is clicked through. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.

Language: Ruby

Severity Score

6.1

Related Resources (8)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-36459

Url: http://www.openwall.com/lists/oss-security/2023/07/06/5

Url: https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp

Url: https://github.com/mastodon/mastodon/releases/tag/v4.0.5

Url: https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2

Url: https://github.com/mastodon/mastodon/releases/tag/v4.1.3

Url: https://github.com/mastodon/mastodon/releases/tag/v3.5.9

Url: https://www.mend.io/vulnerability-database/CVE-2023-36459

Severity Score

6.1

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Top Fix

Upgrade Version

Upgrade to version v3.5.9,v4.0.5,v4.1.3

Learn More

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-36459

Good to know:

Date: July 6, 2023

Language: Ruby

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?