JOIN BREACHFORUMS TELEGRAM
Mastodon TootRoot
by NotAThrow6397 - Monday July 10, 2023 at 02:27 PM
VIP User
VIP
Posts: 139
Threads: 29
Joined: Jun 2023
Reputation: 57
#1
Jul 10, 2023, 02:27 PM
Mastodon had to patch their software due to a big CVE with a score of 9.9/10 which allows for arbitrary file execution

https://youtube.com/watch?v=3KCyhltnz7w
[Image: XjbTbGW.gif]
Clowns
@Kenz
@hacxx
@KIHO
Reply
Advanced User

Posts: 68
Threads: 5
Joined: Jun 2023
Reputation: 30
#2
Jul 10, 2023, 02:52 PM (This post was last modified: Jul 10, 2023, 02:59 PM by happenstance. Edit Reason: include vulnerable version )
tl;dw: several major vulns were found in mastodon during an audit

Critical:

Tootroot/ Arbitrary file creation through media attachments : "Using carefully crafted media files, attackers can cause Mastodon's media processing code to create arbitrary files at any location. Impact : This allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution." - (https://github.com/mastodon/mastodon/sec...-3cp5-93fm)

XSS through oEmbed preview cards  - "Using carefully crafted oEmbed data, an attacker can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. Impact: This introduces a vector for Cross-site-scripting (XSS) payloads that can be rendered in the user's browser when a preview card for a malicious link is clicked through." - (https://github.com/mastodon/mastodon/sec...-vgcc-73hp)

update your shit and if you dont own the shit push the person who owns the shit to update the shit.

v4.1.2 and prior are vulnerable
Reply
VIP User
VIP
Posts: 139
Threads: 29
Joined: Jun 2023
Reputation: 57
#3
Jul 10, 2023, 02:57 PM
(Jul 10, 2023, 02:52 PM)happenstance Wrote: tl;dw: several major vulns were found in mastodon during an audit

Critical:

Tootroot/ Arbitrary file creation through media attachments : "Using carefully crafted media files, attackers can cause Mastodon's media processing code to create arbitrary files at any location. Impact : This allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution." - (https://github.com/mastodon/mastodon/sec...-3cp5-93fm)

XSS through oEmbed preview cards  - "Using carefully crafted oEmbed data, an attacker can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. Impact: This introduces a vector for Cross-site-scripting (XSS) payloads that can be rendered in the user's browser when a preview card for a malicious link is clicked through." - (https://github.com/mastodon/mastodon/sec...-vgcc-73hp)

update your shit and if you dont own the shit push the person who owns the shit to update the shit.

way better TL;DR thanks :pomhappy:
[Image: XjbTbGW.gif]
Clowns
@Kenz
@hacxx
@KIHO
Reply
Tryhard User

Posts: 1,483
Threads: 63
Joined: Jun 2023
Reputation: 52

Active
#4
Jul 10, 2023, 07:23 PM
haha LOL lets all move from Twitter to Mastadon!!!!
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [HOT] CVE-2026-41940: cPanel/WHM Auth Bypass to ROOT - 0-Day Chain Breakdown & PoC Zfruussia 1 100 3 hours ago
Last Post: mimihack
  New Security Breach Allegations for Samsung TVs (Europe/UK Region) Tr28 0 82 6 hours ago
Last Post: Tr28
  BreachForums Leak Free Data KingJulien 178 13,267 Apr 29, 2026, 10:25 AM
Last Post: HidanG
  News: Pitney Bowes Breached. dai5 0 163 Apr 29, 2026, 08:43 AM
Last Post: dai5
  PDF Exploit Builder by TheStrain – worth it? xXTH3_R3DXx 0 186 Apr 29, 2026, 03:28 AM
Last Post: xXTH3_R3DXx

Forum Jump:


 Users browsing this forum: 1 Guest(s)