JOIN BREACHFORUMS TELEGRAM
Mastodon TootRoot
by NotAThrow6397 - Monday July 10, 2023 at 02:27 PM
VIP User
VIP
Posts: 139
Threads: 29
Joined: Jun 2023
Reputation: 57
#1
Jul 10, 2023, 02:27 PM
Mastodon had to patch their software due to a big CVE with a score of 9.9/10 which allows for arbitrary file execution

https://youtube.com/watch?v=3KCyhltnz7w
[Image: XjbTbGW.gif]
Clowns
@Kenz
@hacxx
@KIHO
Reply
Advanced User

Posts: 68
Threads: 5
Joined: Jun 2023
Reputation: 30
#2
Jul 10, 2023, 02:52 PM (This post was last modified: Jul 10, 2023, 02:59 PM by happenstance. Edit Reason: include vulnerable version )
tl;dw: several major vulns were found in mastodon during an audit

Critical:

Tootroot/ Arbitrary file creation through media attachments : "Using carefully crafted media files, attackers can cause Mastodon's media processing code to create arbitrary files at any location. Impact : This allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution." - (https://github.com/mastodon/mastodon/sec...-3cp5-93fm)

XSS through oEmbed preview cards  - "Using carefully crafted oEmbed data, an attacker can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. Impact: This introduces a vector for Cross-site-scripting (XSS) payloads that can be rendered in the user's browser when a preview card for a malicious link is clicked through." - (https://github.com/mastodon/mastodon/sec...-vgcc-73hp)

update your shit and if you dont own the shit push the person who owns the shit to update the shit.

v4.1.2 and prior are vulnerable
Reply
VIP User
VIP
Posts: 139
Threads: 29
Joined: Jun 2023
Reputation: 57
#3
Jul 10, 2023, 02:57 PM
(Jul 10, 2023, 02:52 PM)happenstance Wrote: tl;dw: several major vulns were found in mastodon during an audit

Critical:

Tootroot/ Arbitrary file creation through media attachments : "Using carefully crafted media files, attackers can cause Mastodon's media processing code to create arbitrary files at any location. Impact : This allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution." - (https://github.com/mastodon/mastodon/sec...-3cp5-93fm)

XSS through oEmbed preview cards  - "Using carefully crafted oEmbed data, an attacker can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. Impact: This introduces a vector for Cross-site-scripting (XSS) payloads that can be rendered in the user's browser when a preview card for a malicious link is clicked through." - (https://github.com/mastodon/mastodon/sec...-vgcc-73hp)

update your shit and if you dont own the shit push the person who owns the shit to update the shit.

way better TL;DR thanks :pomhappy:
[Image: XjbTbGW.gif]
Clowns
@Kenz
@hacxx
@KIHO
Reply
Tryhard User

Posts: 1,483
Threads: 63
Joined: Jun 2023
Reputation: 52

Active
#4
Jul 10, 2023, 07:23 PM
haha LOL lets all move from Twitter to Mastadon!!!!
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Corruptiion of PLN [Indonesia] - 2025 Investigation Viral LordZeroDay 25 1,484 Apr 25, 2026, 09:23 PM
Last Post: dipiwef113
  The Ratification of the TNI Bill, Has an Impact on Indonesia? LordZeroDay 12 746 Apr 25, 2026, 02:50 PM
Last Post: dipiwef113
  Another vulnerability popping up — early alert from Vuln Tracker Crizz_Mattel99 1 154 Apr 25, 2026, 02:32 PM
Last Post: dfawdawfawfaw
  Vulnerability in Windows Snipping Tool Could Expose Sensitive Information xXTH3_R3DXx 0 105 Apr 21, 2026, 02:36 AM
Last Post: xXTH3_R3DXx
  Who's next ? DC7414 3 160 Apr 20, 2026, 10:18 PM
Last Post: Crockett

Forum Jump:


 Users browsing this forum: 1 Guest(s)