CVE-2023-36459 - Vulnerability Details - OpenCVE

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. This introduces a vector for cross-site scripting (XSS) payloads that can be rendered in the user's browser when a preview card for a malicious link is clicked through. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Joinmastodon	Mastodon

Configuration 1 [-]

OR	cpe:2.3:a:joinmastodon:mastodon::::::::
	cpe:2.3:a:joinmastodon:mastodon::::::::
	cpe:2.3:a:joinmastodon:mastodon::::::::

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2023/07/06/5
https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2
https://github.com/mastodon/mastodon/releases/tag/v3.5.9
https://github.com/mastodon/mastodon/releases/tag/v4.0.5
https://github.com/mastodon/mastodon/releases/tag/v4.1.3
https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp

History

Thu, 14 Nov 2024 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-07-06T18:29:07.669Z

Updated: 2025-02-13T16:56:17.330Z

Reserved: 2023-06-21T18:50:41.699Z

Link: CVE-2023-36459

Vulnrichment

Updated: 2024-08-02T16:45:57.102Z

NVD

Status : Modified

Published: 2023-07-06T19:15:10.727

Modified: 2024-11-21T08:09:45.380

Link: CVE-2023-36459

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-36459", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-06-21T18:50:41.699Z", "datePublished": "2023-07-06T18:29:07.669Z", "dateUpdated": "2025-02-13T16:56:17.330Z"}, "containers": {"cna": {"title": "Mastodon vulnerable to Cross-site Scripting through oEmbed preview cards", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp"}, {"name": "https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2", "tags": ["x_refsource_MISC"], "url": "https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2"}, {"name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9", "tags": ["x_refsource_MISC"], "url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"}, {"name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"}, {"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"}, {"url": "http://www.openwall.com/lists/oss-security/2023/07/06/5"}], "affected": [{"vendor": "mastodon", "product": "mastodon", "versions": [{"version": ">= 1.3, < 3.5.9", "status": "affected"}, {"version": ">= 4.0.0, < 4.0.5", "status": "affected"}, {"version": ">= 4.1.0, < 4.1.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-07-06T18:30:10.023Z"}, "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. This introduces a vector for cross-site scripting (XSS) payloads that can be rendered in the user's browser when a preview card for a malicious link is clicked through. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue."}], "source": {"advisory": "GHSA-ccm4-vgcc-73hp", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:45:57.102Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp"}, {"name": "https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2"}, {"name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"}, {"name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"}, {"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"}, {"url": "http://www.openwall.com/lists/oss-security/2023/07/06/5", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-14T14:07:13.081530Z", "id": "CVE-2023-36459", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-14T14:07:24.022Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp", "name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2", "name": "https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9", "name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5", "name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3", "name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/07/06/5", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:45:57.102Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-36459", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-11-14T14:07:13.081530Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-14T14:07:20.332Z"}}], "cna": {"title": "Mastodon vulnerable to Cross-site Scripting through oEmbed preview cards", "source": {"advisory": "GHSA-ccm4-vgcc-73hp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "mastodon", "product": "mastodon", "versions": [{"status": "affected", "version": ">= 1.3, < 3.5.9"}, {"status": "affected", "version": ">= 4.0.0, < 4.0.5"}, {"status": "affected", "version": ">= 4.1.0, < 4.1.3"}]}], "references": [{"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp", "name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2", "name": "https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9", "name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5", "name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3", "name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3", "tags": ["x_refsource_MISC"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/07/06/5"}], "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. This introduces a vector for cross-site scripting (XSS) payloads that can be rendered in the user's browser when a preview card for a malicious link is clicked through. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-07-06T18:30:10.023Z"}}}, "cveMetadata": {"cveId": "CVE-2023-36459", "state": "PUBLISHED", "dateUpdated": "2025-02-13T16:56:17.330Z", "dateReserved": "2023-06-21T18:50:41.699Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-07-06T18:29:07.669Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "matchCriteriaId": "B812C873-88F0-4897-B42C-A67FA6EBB394", "versionEndExcluding": "3.5.9", "versionStartIncluding": "1.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "matchCriteriaId": "51150E6A-F99E-4905-A464-2BAC2B1C36C3", "versionEndExcluding": "4.0.5", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "matchCriteriaId": "8AB4CC5C-A9AE-4CD1-8912-B570E2F6E170", "versionEndExcluding": "4.1.3", "versionStartIncluding": "4.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. This introduces a vector for cross-site scripting (XSS) payloads that can be rendered in the user's browser when a preview card for a malicious link is clicked through. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue."}], "id": "CVE-2023-36459", "lastModified": "2024-11-21T08:09:45.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-07-06T19:15:10.727", "references": [{"source": "security-advisories@github.com", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2023/07/06/5"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2023/07/06/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}