CVE-2023-42452

Name of the Vulnerable Software and Affected Versions Mastodon versions prior to 4.0.10 Mastodon versions prior to 4.2.8 Mastodon versions prior to 4.2.0-rc2

Description Mastodon is a free, open-source social network server based on ActivityPub. In certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing unescaped HTML to execute in the browser. The impact is limited thanks to Mastodon's strict Content Security Policy, blocking inline scripts. However, a CSP bypass or loophole could be exploited to execute malicious XSS. Furthermore, it requires user interaction, as this can only occur upon clicking the “Translate” button on a malicious post.

Recommendations For versions prior to 4.0.10, update to version 4.0.10 or later. For versions prior to 4.2.8, update to version 4.2.8 or later. For versions prior to 4.2.0-rc2, update to version 4.2.0-rc2 or later. As a temporary workaround, consider restricting access to the translation feature until a patch is applied.