CVE-2023-36459

Name of the Vulnerable Software and Affected Versions Mastodon versions 1.3 through 3.5.8 Mastodon versions 4.0.0 through 4.0.4 Mastodon versions 4.1.0 through 4.1.2

Description The issue is related to the processing of oEmbed data in Mastodon, which can allow an attacker to bypass HTML sanitization and include arbitrary HTML in oEmbed preview cards. This can introduce a vector for cross-site scripting (XSS) payloads that can be rendered in the user's browser when a preview card for a malicious link is clicked through. An attacker can use carefully crafted oEmbed data to exploit this issue.

Recommendations For Mastodon versions 1.3 through 3.5.8, update to version 3.5.9 or later. For Mastodon versions 4.0.0 through 4.0.4, update to version 4.0.5 or later. For Mastodon versions 4.1.0 through 4.1.2, update to version 4.1.3 or later. As a temporary workaround, consider restricting the use of oEmbed preview cards until a patch is applied.