Joinmastodon: >> Mastodon >> 2.5.0 Security Vulnerabilities
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2.
CVSS Score
7.7
EPSS Score
0.004
Published
2023-04-04
Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, such that there is uncontrolled recursion of attacker-generated messages.
CVSS Score
7.5
EPSS Score
0.007
Published
2022-12-04
Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0.
CVSS Score
9.8
EPSS Score
0.014
Published
2022-11-16
app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions.
CVSS Score
5.3
EPSS Score
0.002
Published
2022-05-24
Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)
CVSS Score
9.8
EPSS Score
0.004
Published
2022-02-03
Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0.
CVSS Score
7.4
EPSS Score
0.509
Published
2022-02-02
Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.
CVSS Score
9.8
EPSS Score
0.016
Published
2019-09-22
Page 3