Security News > 2023 > July > Mastodon Social Network Patches Critical Flaws Allowing Server Takeover
Mastodon, a popular decentralized social network, has released a security update to fix critical vulnerabilities that could expose millions of users to potential attacks.
Mastodon is known for its federated model, consisting of thousands of separate servers called "Instances," and it has over 14 million users across more than 20,000 instances.
The most critical vulnerability, CVE-2023-36460, allows hackers to exploit a flaw in the media attachments feature, creating and overwriting files in any location the software could access on an instance.
If an attacker gains control over multiple instances, they could cause harm by instructing users to download malicious applications or even bring down the entire Mastodon infrastructure.
They included "Blind LDAP injection in login," which allowed attackers to extract arbitrary attributes from the LDAP database, "Denial of Service through slow HTTP responses," and a formatting issue with "Verified profile links." Each of these flaws posed different levels of risk to Mastodon users.
To protect themselves, Mastodon users only need to ensure that their subscribed instance has installed the necessary updates promptly.
News URL
https://thehackernews.com/2023/07/mastodon-social-network-patches.html
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-07-06 | CVE-2023-36460 | Path Traversal vulnerability in Joinmastodon Mastodon Mastodon is a free, open-source social network server based on ActivityPub. | 9.9 |