Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Mastodon
(Joinmastodon)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 19 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2024-02-14 | CVE-2024-25618 | Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers (CAS, SAML, OIDC) to attach to existing local users with the same e-mail address. This results in a possible account takeover if the authentication provider allows changing the e-mail address or multiple authentication providers are configured. When a user logs in through an external authentication provider for the first time, Mastodon checks the... | Mastodon | 7.4 | ||
| 2024-02-14 | CVE-2024-25619 | Mastodon is a free, open-source social network server based on ActivityPub. When an OAuth Application is destroyed, the streaming server wasn't being informed that the Access Tokens had also been destroyed, this could have posed security risks to users by allowing an application to continue listening to streaming after the application had been destroyed. Essentially this comes down to the fact that when Doorkeeper sets up the relationship between Applications and Access Tokens, it uses a... | Mastodon | 4.3 | ||
| 2024-02-19 | CVE-2024-25623 | Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Mastodon server fetch it, if the remote server accepts arbitrary user uploads. The vulnerability... | Mastodon | 7.7 | ||
| 2022-02-02 | CVE-2022-0432 | Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0. | Mastodon | 6.1 | ||
| 2022-02-03 | CVE-2022-24307 | Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.) | Mastodon | 9.8 | ||
| 2022-05-24 | CVE-2022-31263 | app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions. | Mastodon | 5.3 | ||
| 2022-11-16 | CVE-2022-2166 | Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0. | Mastodon | 9.8 | ||
| 2022-12-04 | CVE-2022-46405 | Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, such that there is uncontrolled recursion of attacker-generated messages. | Mastodon | 7.5 | ||
| 2023-03-06 | CVE-2022-48364 | The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server's representative account, resulting in moderator identity disclosure when a moderator approves the appeal of a user whose status update was marked as sensitive. | Mastodon | 4.3 | ||
| 2023-04-04 | CVE-2023-28853 | Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2. | Mastodon | 6.5 |