A security flaw, tracked as CVE-2024-23832 (CVSS score 9.4), in the decentralized social network Mastodon can be exploited to impersonate and take over any account.
The issue is caused by insufficient origin validation in all Mastodon.
“Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account.” reads the advisory.
The issue impacts Mastodon version prior to 3.5.17, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5.
The vulnerability was discovered by security researcher arcanicanis.
Mastodon plans to release technical details about the vulnerability after February 15, 2024, to give admins ample time to update their server instances.
Maintainers of the project fear that threat actors can start massive exploitation of the issue in the wild.
“This advisory will be edited with more details on 2024/02/15, when admins have been given some time to update, as we think any amount of detail would make it very easy to come up with an exploit.” continues the advisory.
In July 2023, Mastodon addressed a critical flaw, tracked as CVE-2023-36460, in the media attachments feature, that allowed attackers to create and overwrite files in any accessible location within an instance.
This vulnerability could potentially lead to Denial of Service (DoS) and arbitrary remote code execution.
(SecurityAffairs – hacking, social network)