Mastodon
by Mastodon
Source repositories
CVEs (49)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-36459 | 0.00 | — | 0.01 | Jul 6, 2023 | Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in… | |||
| CVE-2023-28853 | 0.00 | — | 0.01 | Apr 4, 2023 | Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform… | |||
| CVE-2022-48364 | 0.00 | — | 0.01 | Mar 6, 2023 | The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server's representative account, resulting in moderator identity disclosure when a moderator approves the appeal of a user whose status update was… | |||
| CVE-2022-46405 | 0.00 | — | 0.01 | Dec 4, 2022 | Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, such that there is uncontrolled recursion of… | |||
| CVE-2022-2166 | 0.00 | — | 0.01 | Nov 16, 2022 | Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0. | |||
| CVE-2022-31263 | 0.00 | — | 0.01 | May 24, 2022 | app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions. | |||
| CVE-2022-24307 | 0.00 | — | 0.01 | Feb 3, 2022 | Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.) | |||
| CVE-2022-0432 | 0.00 | — | 0.04 | Feb 2, 2022 | Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0. | |||
| CVE-2018-21018 | 0.00 | — | 0.03 | Sep 22, 2019 | Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions. |
- CVE-2023-36459Jul 6, 2023risk 0.00cvss —epss 0.01
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in…
- CVE-2023-28853Apr 4, 2023risk 0.00cvss —epss 0.01
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform…
- CVE-2022-48364Mar 6, 2023risk 0.00cvss —epss 0.01
The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server's representative account, resulting in moderator identity disclosure when a moderator approves the appeal of a user whose status update was…
- CVE-2022-46405Dec 4, 2022risk 0.00cvss —epss 0.01
Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, such that there is uncontrolled recursion of…
- CVE-2022-2166Nov 16, 2022risk 0.00cvss —epss 0.01
Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0.
- CVE-2022-31263May 24, 2022risk 0.00cvss —epss 0.01
app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions.
- CVE-2022-24307Feb 3, 2022risk 0.00cvss —epss 0.01
Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)
- CVE-2022-0432Feb 2, 2022risk 0.00cvss —epss 0.04
Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0.
- CVE-2018-21018Sep 22, 2019risk 0.00cvss —epss 0.03
Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.
Page 3 of 3