Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 6 Jul 2023 18:23:25 -0400
From: Jan Schaumann <>
Subject: CVE-2023-36459: mastodon: XSS through oEmbed preview cards

(I have no affiliation with the project, but posting
this here because it seems to me that increasingly
non-packaged / GitHub distributed projects tend not to
send out announcements here.)

(This advisory describes an issue found by Cure53 as
part of an audit performed at Mozilla's request)

Using carefully crafted oEmbed data, an attacker can
bypass the HTML sanitization performed by Mastodon and
include arbitrary HTML in oEmbed preview cards.

This introduces a vector for Cross-site-scripting
(XSS) payloads that can be rendered in the user's
browser when a preview card for a malicious link is
clicked through.


Severity: 9.3/10


Affected versions: >= 1.3
Patched versions:  4.1.3, 4.0.5, 3.5.9

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.