Security News > 2024 > February > Mastodon vulnerability allows attackers to take over accounts

Mastodon vulnerability allows attackers to take over accounts
2024-02-03 15:09

Mastodon, the free and open-source decentralized social networking platform, has fixed a critical vulnerability that allows attackers to impersonate and take over any remote account.

The newly fixed flaw is tracked as CVE-2024-23832 and stems from insufficient origin validation in Mastodon, allowing attackers to impersonate users and take over their accounts.

The vulnerability is rated 9.4 in CVSS v3.1 and impacts all Mastodon versions before 3.5.17, 4.0.13, 4.1.13, and 4.2.5.

Mastodon has withheld technical details for the time being to prevent active exploitation of the vulnerability.

Mastodon users cannot do anything to address the security risk, but they should ensure that the admins of the instance they participate in have upgraded to a safe version by mid-February; otherwise, their accounts will be prone to hijacking.

In July 2023, the Mastodon team fixed another critical bug tracked as CVE-2023-36460 and dubbed 'TootRoot,' which allowed attackers to send "Toots" that would create web shells on target instances.


News URL

https://www.bleepingcomputer.com/news/security/mastodon-vulnerability-allows-attackers-to-take-over-accounts/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2024-02-01 CVE-2024-23832 Unspecified vulnerability in Joinmastodon Mastodon
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication.
network
low complexity
joinmastodon
critical
9.8
2023-07-06 CVE-2023-36460 Unspecified vulnerability in Joinmastodon Mastodon
Mastodon is a free, open-source social network server based on ActivityPub.
network
low complexity
joinmastodon
critical
9.9