We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-37903

Mastodon has improper authorship check on audience extension for existing posts



Description

Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining access to the contents of a post not intended for them. Versions 4.1.18 and 4.2.10 contain a patch for this issue.

Reserved 2024-06-10 | Published 2024-07-05 | Updated 2024-08-02 | Assigner GitHub_M


HIGH: 8.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Problem types

CWE-862: Missing Authorization

Product status

>= 2.6.0, < 4.1.18
affected

>= 4.2.0, < 4.2.10
affected

References

github.com/...stodon/security/advisories/GHSA-xjvf-fm67-4qc3

github.com/...ommit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3

github.com/...ommit/d4bf22b632ea8b1174375c4966a6768ab66393b6

github.com/mastodon/mastodon/releases/tag/v4.1.18

github.com/mastodon/mastodon/releases/tag/v4.2.10

cve.org (CVE-2024-37903)

nvd.nist.gov (CVE-2024-37903)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-37903

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.

© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.