Social media challenger Mastodon has issued a fix for new fewer than five security vulnerabilities, the majority of which categorized as high or critical severity.
The flaws include CVE-2023-36460, which could have allowed an attacker to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution. The update confirms that versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this vulnerability.
Despite a brief overview, few details have been confirmed about the vulnerability. It is believed that an attacker might have been able to spread malware using the vulnerability, but it’s so far unclear whether there has been an active exploit.
Mastodon security patches
The description for another vulnerability, known as CVE-2023-36462, reads: “An attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appear to link to a different URL altogether.” This was considered to have the least severe consequences, marked as moderate.
Through this, an attacker might have been able to reformat URLs to mask the fact that they were instead redirecting to phishing campaigns or malware sites.
Further high and critical issues fixed include a slowloris-type Denial of Service attack vulnerability, cross-site scripting (XSS) attacks, and the potential for an attacker to leak arbitrary attributes from the LDAP database.
While Mastodon is responsible for issuing the fixes, Cure53 has been credited with the penetration testing, with thanks to funding from the Mozilla Foundation.
This comes at a time when Mastodon continues to attract new social media users as Twitter users look to abandon the once Musk-led platform. With new CEO Linda Yaccarino at the helm, positive changes are yet to materialize. At the same time, Meta’s new Threads platform is trying to sweep up ex-Twitter users.