Mastodon, the decentralized social networking platform, has recently addressed four vulnerabilities, one of which is classified as critical. This critical flaw, named TootRoot and tracked as CVE-2023-36460, enables hackers to create arbitrary files on the server using specially crafted media files.
Discovered by independent auditors at Cure53, these vulnerabilities were identified during a code inspection at the request of Mozilla.
Furthermore, CVE-2023-36460, the most severe vulnerability, resides in Mastodon’s media processing code, allowing attackers to exploit media files attached to toots (equivalent to tweets) and potentially execute arbitrary remote code or cause denial of service issues.
Security researcher Kevin Beaumont emphasized the risks associated with TootRoot, as it could be exploited to plant backdoors on servers delivering content to Mastodon users, granting attackers unrestricted control over server operations and user data.
Additionally, the second critical-severity vulnerability, CVE-2023-36459, involves cross-site scripting (XSS) on oEmbed preview cards used in Mastodon. This flaw bypasses HTML sanitization on the target browser and could be leveraged for account hijacking, user impersonation, or unauthorized access to sensitive data.
Mastodon also addressed two other high-severity vulnerabilities: CVE-2023-36461, a denial-of-service flaw through slow HTTP responses, and CVE-2023-36462, a deceptive formatting vulnerability that enables phishing attacks by manipulating verified profile links.
The patched vulnerabilities affect all Mastodon versions from 3.5.0 onward and have been resolved in versions 3.5.9, 4.0.5, and 4.1.3.
These patches are crucial server security updates that administrators must apply promptly to safeguard their Mastodon communities from potential exploitation and protect user data from unauthorized access or manipulation.
