Five security vulnerabilities have been patched by decentralized social networking platform Mastodon as part of a security update, according to The Hacker News.
Threat actors could leverage the most severe flaw, tracked as CVE-2023-36460, to use the platform's media attachments for file creation and overwriting to later facilitate denial-of-service and arbitrary remote code execution attacks.
On the other hand, another critical vulnerability, tracked as CVE-2023-36459, could be used to enable arbitrary HTML injections into oEmbed preview cards that evade the HTML sanitization process of Mastodon and allow cross-site scripting payloads.
Mastodon has also addressed three high- and medium-severity bugs, including a flaw allowing DoS via slow HTTP responses, another that involves the injection of blind LDAP in login, and a verified profile link formatting issue. Users have been urged to ensure the immediate application of appropriate updates in their subscribed instances to prevent any compromise.