Thisismissem

**Name of the Vulnerable Software and Affected Versions** Mastodon versions prior to 4.2.27 Mastodon versions prior to 4.3.14 Mastodon versions prior to 4.4.6 **Description** Mastodon is a free, open-source social network server based on ActivityPub. When an administrator resets a user account’s password using the command-line interface with `bin/tootctl accounts modify --reset-password`, active sessions and access tokens for that account are not revoked. This allows an attacker who previously compromised a session or token to continue using the account even after the password has been reset. The command used for password reset is `bin/tootctl accounts modify --reset-password`. **Recommendations** Update to Mastodon version 4.2.27 or later. Update to Mastodon version 4.3.14 or later. Update to Mastodon version 4.4.6 or later.

**Name of the Vulnerable Software and Affected Versions** Mastodon versions prior to 4.2.27 Mastodon versions prior to 4.3.14 Mastodon versions prior to 4.4.6 **Description** Mastodon is a free, open-source social network server based on ActivityPub. The streaming server incorrectly handles authentication tokens, accepting events for public timelines from clients with valid tokens that do not have the required `read:statuses` scope. This allows OAuth clients lacking the necessary permissions to subscribe to public channels and receive public timeline events. The impact is limited to new public posts and requires a valid token, but may result in unintended access to public posts in limited-federation environments. **Recommendations** Update Mastodon to version 4.2.27 or later. Update Mastodon to version 4.3.14 or later. Update Mastodon to version 4.4.6 or later.

**Name of the Vulnerable Software and Affected Versions** Mastodon versions prior to 4.4.6 Mastodon versions prior to 4.3.14 Mastodon versions prior to 4.2.27 **Description** Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.4.6, 4.3.14, and 4.2.27, disabling or suspending a user account does not disconnect the account from the streaming API. This allows disabled or suspended accounts to continue receiving real-time updates through existing streaming connections and to establish new streaming connections, despite being unable to interact with other API endpoints. This behavior undermines moderation actions, as administrators expect disabled or suspended accounts to be fully disconnected from the service. **Recommendations** Update Mastodon to version 4.4.6 or later. Update Mastodon to version 4.3.14 or later. Update Mastodon to version 4.2.27 or later.

**Name of the Vulnerable Software and Affected Versions** Fedify versions prior to 0.9.2, 0.10.1, or 0.11.1 **Description** The issue is related to a Server Side Request Forgery attack. When Fedify needs to retrieve an object or activity from a remote activitypub server, it makes a HTTP request to the `@id` or other resources present within the activity it has received from the web. This activity could reference an `@id` that points to an internal IP address, allowing an attacker to send requests to resources internal to the Fedify server's network. This applies to not just resolution of documents containing activities or objects, but also to media URLs as well. **Recommendations** To resolve the issue, users should upgrade to Fedify version 0.9.2, 0.10.1, or 0.11.1 to receive a patch for this issue. As a temporary workaround, consider restricting access to internal IP addresses to minimize the risk of exploitation. Restrict access to the `fetch` API to prevent unauthorized requests to internal resources. Avoid using the `@id` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Mastodon versions prior to 3.5.18 Mastodon versions prior to 4.0.14 Mastodon versions prior to 4.1.14 Mastodon versions prior to 4.2.6 **Description** The issue is related to the incorrect handling of Access Tokens when an OAuth Application is destroyed. This could have allowed an application to continue listening to streaming after it had been destroyed, potentially posing security risks to users. The problem arises from the `dependent: delete all` configuration used by Doorkeeper, which prevents the `after commit` callback from firing. As a result, the streaming server is not informed that the Access Tokens have been destroyed. The impact is considered negligible since the affected application had to be owned by the user. **Recommendations** For Mastodon versions prior to 3.5.18, upgrade to version 3.5.18 or later. For Mastodon versions prior to 4.0.14, upgrade to version 4.0.14 or later. For Mastodon versions prior to 4.1.14, upgrade to version 4.1.14 or later. For Mastodon versions prior to 4.2.6, upgrade to version 4.2.6 or later.

**Name of the Vulnerable Software and Affected Versions** Pixelfed versions 0.10.4 through 0.11.9 **Description** The issue arises from improper and insufficient authorization checks when processing requests, allowing attackers to access more functionality than intended, including administrative and moderator features. This affects every local user of a Pixelfed server and potentially impacts the server's ability to federate. Some user interaction is required to set up the conditions for the vulnerability, but attackers can conduct the attack in a time-delayed manner without active user interaction. A proof of concept exists, and the vulnerability has been addressed in version 0.11.11. Technical details about exploitation include: - **API Endpoints:** For example, `/api/admin/config/update` can be exploited with a `read` scoped access token to perform administrative actions. - **Vulnerable Parameters or Variables:** Access tokens with `read` scope can be used to perform actions requiring higher-privilege scopes, such as `follow` or `admin:write`. - **Function Names:** The vulnerability exploits the improper checking of OAuth Application/Client permissions, allowing access to unauthorized functionality. **Recommendations** - For versions 0.10.4 through 0.11.9, upgrade to version 0.11.11 to address the vulnerability. - As a temporary workaround, consider restricting access to administrative and moderator functionality until the upgrade can be applied. - Avoid using access tokens with broad scopes, and regularly review and revoke unused access tokens to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ssri versions prior to 5.2.2 **Description** The issue is related to a regular expression denial of service vulnerability in the strict mode functionality of the ssri module. This vulnerability can be triggered via a long base64 hash string. **Recommendations** Update to version 5.2.2 or later.