CVE-2024-37903
Mastodon has improper authorship check on audience extension for existing posts
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Mastodon has improper authorship check on audience extension for existing posts
| Assigner | GitHub_M |
| Reserved | 2024-06-10 |
| Published | 2024-07-05 |
| Updated | 2024-08-02 |
Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining access to the contents of a post not intended for them. Versions 4.1.18 and 4.2.10 contain a patch for this issue.
| CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
https://github.com/mastodon/mastodon/security/advisories/GHSA-xjvf-fm67-4qc3
https://github.com/mastodon/mastodon/commit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3
https://github.com/mastodon/mastodon/commit/d4bf22b632ea8b1174375c4966a6768ab66393b6
https://github.com/mastodon/mastodon/releases/tag/v4.1.18
https://github.com/mastodon/mastodon/releases/tag/v4.2.10
