oss-sec mailing list archives
CVE-2023-36459: mastodon: XSS through oEmbed preview cards
From: Jan Schaumann <jschauma () netmeister org>
Date: Thu, 6 Jul 2023 18:23:25 -0400
(I have no affiliation with the project, but posting this here because it seems to me that increasingly non-packaged / GitHub distributed projects tend not to send out announcements here.) https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp (This advisory describes an issue found by Cure53 as part of an audit performed at Mozilla's request) Using carefully crafted oEmbed data, an attacker can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. Impact This introduces a vector for Cross-site-scripting (XSS) payloads that can be rendered in the user's browser when a preview card for a malicious link is clicked through. CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N Severity: 9.3/10 CVE-2023-36459 Affected versions: >= 1.3 Patched versions: 4.1.3, 4.0.5, 3.5.9
Current thread:
- CVE-2023-36459: mastodon: XSS through oEmbed preview cards Jan Schaumann (Jul 06)