In a recent vulnerability disclosure on the platform Mastodon, a decentralized social network that connects various servers, a critical security flaw (CVE-2023-36460) was exposed. This vulnerability allows attackers to create or modify arbitrary files in any directory on the server, depending on the access privileges granted to Mastodon.
The exploit can be used to tamper with server code, such as placing a file in a directory with web scripts, modifying the ~/.SSH/AUTHORIZED_KEYS file with SSH keys, or adding a script such as “~ .bashrc” or ~/.profile, which can execute upon login.
This particular vulnerability has been assigned a severity rating of 9.9 out of 10. It is attributed to an error in the code that handles multimedia files and can be triggered through specially crafted multimedia attachments. Cure53, a security company commissioned by Mozilla to audit the Mastodon code for their own social network platform mozilla.social, discovered this flaw.
Additionally, the audit uncovered another critical vulnerability (CVE-2023-36459) with a severity rating of 9.3 out of 10. This vulnerability enables attackers to exploit specially designed OEMBED data in order to bypass protection against cross-site scripting (XSS) attacks. By doing so, they can display their own HTML and execute arbitrary JavaScript code in the user’s browser.
The latest updates, versions 3.5.10, 4.0.6, and 4.1.4, have addressed these vulnerabilities. Users are advised to update their Mastodon instances promptly to ensure their systems are protected.
Currently, the United Social Network, also known as the fediverse, has over 12,000 nodes based on the Mastodon platform, serving approximately 9 million users.