Scumjr

**Name of the Vulnerable Software and Affected Versions** Mastodon versions 4.2.0-beta1 through 4.2.0-rc1 **Description** The issue is related to insufficient request validation on the server side, allowing attackers to inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused deputy attacks if the server configuration includes `ALLOWED PRIVATE ADDRESSES` to allow access to local exploitable services. **Recommendations** For Mastodon versions 4.2.0-beta1 through 4.2.0-rc1, update to version 4.2.0-rc2 or later to resolve the issue. As a temporary workaround, consider restricting access to local services by removing or limiting the `ALLOWED PRIVATE ADDRESSES` configuration to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mastodon versions prior to 3.5.14 Mastodon versions prior to 4.0.10 Mastodon versions prior to 4.1.8 Mastodon versions prior to 4.2.0-rc2 **Description** The issue is related to a flaw in domain name normalization, which can be exploited by attackers to spoof domains they do not own. This can lead to a cache poisoning attack. Under certain circumstances, remote attackers can exploit this flaw. **Recommendations** For versions prior to 3.5.14, update to version 3.5.14 or later. For versions prior to 4.0.10, update to version 4.0.10 or later. For versions prior to 4.1.8, update to version 4.1.8 or later. For versions prior to 4.2.0-rc2, update to version 4.2.0-rc2 or later.