CVE-2023-42452

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-42452
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-42452.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-42452
Aliases
Published
2023-09-19T15:58:44.559Z
Modified
2026-04-10T05:01:57.362033Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Mastodon vulnerable to Stored XSS through the translation feature
Details

Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing unescaped HTML to execute in the browser. The impact is limited thanks to Mastodon's strict Content Security Policy, blocking inline scripts, etc. However a CSP bypass or loophole could be exploited to execute malicious XSS. Furthermore, it requires user interaction, as this can only occur upon clicking the “Translate” button on a malicious post. Versions 4.0.10, 4.2.8, and 4.2.0-rc2 contain a patch for this issue.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/42xxx/CVE-2023-42452.json",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/mastodon/mastodon

Affected ranges

Type
GIT
Repo
https://github.com/mastodon/mastodon
Events
Introduced
fb389bd73c8a4bc2924496f6041c8eee27572d21
Fixed
3d8ae6ab739ab1222546923c8df703260285fbc3
Database specific 
{
    "versions": [
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.0.10"
        }
    ]
}
Type
GIT
Repo
https://github.com/mastodon/mastodon
Events
Introduced
61c5dfb9295ea66c376c452a7ef7379e8c562416
Fixed
46bd58f74d11591a0180319285b0c79b2212ef69
Database specific 
{
    "versions": [
        {
            "introduced": "4.1.0"
        },
        {
            "fixed": "4.1.8"
        }
    ]
}
Type
GIT
Repo
https://github.com/mastodon/mastodon
Events
Introduced
dab54ccbba3721382241725bb1c1159d24b5aab2
Fixed
f4b780ba22d0256770766185cee5f8fcc5585c95
Database specific 
{
    "versions": [
        {
            "introduced": "4.2.0-beta1"
        },
        {
            "fixed": "4.2.0-rc2"
        }
    ]
}

Affected versions

v4.*
v4.0.0
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.2.0-beta1
v4.2.0-beta2
v4.2.0-beta3
v4.2.0-rc1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-42452.json"

Git / github.com/tootsuite/mastodon

Affected ranges

Type
GIT
Repo
https://github.com/tootsuite/mastodon
Events
Introduced
fb389bd73c8a4bc2924496f6041c8eee27572d21
Fixed
3d8ae6ab739ab1222546923c8df703260285fbc3
Introduced
61c5dfb9295ea66c376c452a7ef7379e8c562416
Fixed
46bd58f74d11591a0180319285b0c79b2212ef69
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
dab54ccbba3721382241725bb1c1159d24b5aab2
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
facfec1ba36cee27f232ebff90b990933719235a
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
f80f426c57d5a5e1d289372ef7c323741d27c768
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
b90383d07388fe8513e59a6deb1a2391146c6561
Database specific 
{
    "versions": [
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.0.10"
        },
        {
            "introduced": "4.1.0"
        },
        {
            "fixed": "4.1.8"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.2.0-beta1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.2.0-beta2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.2.0-beta3"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.2.0-rc1"
        }
    ]
}

Affected versions

v4.*
v4.0.0
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.2.0-beta1
v4.2.0-beta2
v4.2.0-beta3
v4.2.0-rc1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-42452.json"