Home > Vulnerability Database > CVE-2023-36462

Mend.io Vulnerability Database

CVE-2023-36462

Good to know:

Date: July 6, 2023

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appear to link to a different URL altogether. The link is visually misleading, but clicking on it will reveal the actual link. This can still be used for phishing, though, similar to IDN homograph attacks. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.

Language: Ruby

Severity Score

5.4

Related Resources (7)

Url: https://github.com/mastodon/mastodon/commit/610731b03dfcadd887078cb0399f4e514aa1931c

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-36462

Url: https://github.com/mastodon/mastodon/security/advisories/GHSA-55j9-c3mp-6fcq

Url: https://github.com/mastodon/mastodon/releases/tag/v4.0.5

Url: https://github.com/mastodon/mastodon/releases/tag/v4.1.3

Url: https://github.com/mastodon/mastodon/releases/tag/v3.5.9

Url: https://www.mend.io/vulnerability-database/CVE-2023-36462

Severity Score

5.4

Weakness Type (CWE)

Input Validation

CWE-20

Insufficient Information

NVD-CWE-noinfo

Top Fix

Upgrade Version

Upgrade to version v3.5.9,v4.0.5,v4.1.3

Learn More

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-36462

Good to know:

Date: July 6, 2023

Language: Ruby

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?