Security News > 2024 > February > Mastodon vulnerability allows attackers to take over accounts
Mastodon, the free and open-source decentralized social networking platform, has fixed a critical vulnerability that allows attackers to impersonate and take over any remote account.
The newly fixed flaw is tracked as CVE-2024-23832 and stems from insufficient origin validation in Mastodon, allowing attackers to impersonate users and take over their accounts.
The vulnerability is rated 9.4 in CVSS v3.1 and impacts all Mastodon versions before 3.5.17, 4.0.13, 4.1.13, and 4.2.5.
Mastodon has withheld technical details for the time being to prevent active exploitation of the vulnerability.
Mastodon users cannot do anything to address the security risk, but they should ensure that the admins of the instance they participate in have upgraded to a safe version by mid-February; otherwise, their accounts will be prone to hijacking.
In July 2023, the Mastodon team fixed another critical bug tracked as CVE-2023-36460 and dubbed 'TootRoot,' which allowed attackers to send "Toots" that would create web shells on target instances.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-02-01 | CVE-2024-23832 | Authentication Bypass by Spoofing vulnerability in Joinmastodon Mastodon Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. | 9.8 |
| 2023-07-06 | CVE-2023-36460 | Path Traversal vulnerability in Joinmastodon Mastodon Mastodon is a free, open-source social network server based on ActivityPub. | 9.9 |