CVE-2023-42452

Source
https://cve.org/CVERecord?id=CVE-2023-42452
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-42452.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-42452
Aliases
Published
2023-09-19T15:58:44.559Z
Modified
2026-07-15T01:48:56.305836922Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Mastodon vulnerable to Stored XSS through the translation feature
Details

Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing unescaped HTML to execute in the browser. The impact is limited thanks to Mastodon's strict Content Security Policy, blocking inline scripts, etc. However a CSP bypass or loophole could be exploited to execute malicious XSS. Furthermore, it requires user interaction, as this can only occur upon clicking the “Translate” button on a malicious post. Versions 4.0.10, 4.2.8, and 4.2.0-rc2 contain a patch for this issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/42xxx/CVE-2023-42452.json",
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/mastodon/mastodon

Affected ranges

Type
GIT
Repo
https://github.com/mastodon/mastodon
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta1:*:*:*:*:*:*",
        "cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta2:*:*:*:*:*:*",
        "cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta3:*:*:*:*:*:*",
        "cpe:2.3:a:joinmastodon:mastodon:4.2.0:rc1:*:*:*:*:*:*"
    ],
    "source": [
        "CPE_RANGE",
        "CPE_STRING",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.0.10"
        },
        {
            "introduced": "4.1.0"
        },
        {
            "fixed": "4.1.8"
        },
        {
            "introduced": "4.2.0-beta1"
        },
        {
            "last_affected": "4.2.0-beta1"
        },
        {
            "introduced": "4.2.0-beta2"
        },
        {
            "last_affected": "4.2.0-beta2"
        },
        {
            "introduced": "4.2.0-beta3"
        },
        {
            "last_affected": "4.2.0-beta3"
        },
        {
            "introduced": "4.2.0-rc1"
        },
        {
            "last_affected": "4.2.0-rc1"
        }
    ]
}

Affected versions

4.*
4.2.0-beta1
4.2.0-beta2
4.2.0-beta3
4.2.0-rc1
v4.*
v4.0.0
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.2.0-beta1
v4.2.0-beta2
v4.2.0-beta3
v4.2.0-rc1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-42452.json"