Security News > 2024 > February > Lagging Mastodon admins urged to patch critical account takeover flaw (CVE-2024-23832)
Five days after Mastodon developers pushed out fixes for a remotely exploitable account takeover vulnerability, over 66% of Mastodon servers out there have been upgraded to close the hole.
Mastodon is open-source software for running self-hosted social networking services within the wider Fediverse.
Mastodon users gather on a variety of different servers, run by different people or organizations, which makes the uptake of the latest security updates quite impressive.
"Every Mastodon version prior to 3.5.17 is vulnerable, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5.".
Mastodon server admins have been alerted to the necessity of implementing the critical security update via email and via unmissable prompts in the admin panel, which might explain the satisfactory uptake of security updates.
This is not the first time that a critical, easily exploited vulnerability has been fixed in the Mastodon software.
News URL
https://www.helpnetsecurity.com/2024/02/06/cve-2024-23832/
Related news
- Critical vulnerabilities in TeamCity JetBrains fixed, release of technical details imminent, patch quickly! (CVE-2024-27198, CVE-2024-27199) (source)
- Exploit available for new critical TeamCity auth bypass bug, patch now (source)
- Critical JetBrains TeamCity On-Premises Flaws Could Lead to Server Takeovers (source)
- March 2024 Patch Tuesday: Microsoft fixes critical bugs in Windows Hyper-V (source)
- PoC for critical Arcserve UDP vulnerabilities published (CVE-2024-0799, CVE-2024-0800) (source)
- Critical FortiClient EMS vulnerability fixed, (fake?) PoC for sale (CVE-2023-48788) (source)
- PoC exploit for critical Fortra FileCatalyst MFT vulnerability released (CVE-2024-25153) (source)
- Patch actively exploited Microsoft SharePoint bug, CISA orders federal agencies (CVE-2023-24955) (source)
- Ivanti patches critical Avalanche flaw exploitable via a simple message (CVE-2024-29204) (source)
- PoC for critical Progress Flowmon vulnerability released (CVE-2024-2389) (source)