Mastodawn

DEFCON 201 Jul 11, 2023

In this video I discuss the recent security updates to Mastodon to fix critical security vulnerabilities that allowed for cross site scripting through oEmbed preview cards (CVE-2023-36459) and Arbitrary file creation through media attachments (CVE-2023-36460 AKA TootRoot) make sure the Mastodon instance you're using is on version 4.1.3 or later.

https://odysee.com/@AlphaNerd:8/mastodon-had-a-critical-security:5?r=5dSbLhamtNqgjc7Tj7jf54M4v1DZjbTD

#mastodon #fediverse #admin #cve #cve202336459 #cve202336460 #patch

Mastodon had a Critical Security Vulnerability

Odysee

Wuzzy Jul 9, 2023

And the prize for the funniest name of a security vulnerability goes to: Tootroot! 🎉
(CVE-2023-36460)

#Tootroot #security #Mastodon #CVE202336460

privacypriority Jul 8, 2023

Unraveling the TootRoot Bug: A Deep Dive into the Critical Vulnerability Impacting Mastodon Servers https://privacypriority.in/2023/07/unraveling-the-tootroot-bug-a-deep-dive-into-the-critical-vulnerability-impacting-mastodon-servers/ #Mastodon, #TootRootBug, #CyberSecurity, #OpenSource, #DecentralizedSocialMedia, #DataPrivacy, #CVE202336460, #CVE202336459, #ServerSecurity #Cybersecurity #News

Unraveling the TootRoot Bug: A Deep Dive into the Critical Vulnerability Impacting Mastodon Servers - privacypriority.in

Mastodon, a decentralized social networking platform that is open-source and free, has recently addressed four security flaws, one of which is of critical severity and could allow cybercriminals to generate arbitrary files on the server through specially designed media files.

privacypriority.in

qbi Jul 7, 2023

Ich hätte ja Lust, eine Instanz von #Mastodon zu betreiben und zu sehen, wie lang es dauert, bis die gepwnt wird.
#mastoadmin #cve202336460

Dennis Jul 7, 2023

nice two updates in two days and no problems. and as always clear update instructions 👍

v4.1.3 fixes multiple "critical security issues": #TootRoot #cve202336460

#mastoadmin #selfhost #mastodon

WetzWetz' OnlyFriends 🥵🔞Jul 7, 2023

Endlich ist Mastodon mainstream genug, um auch lUsTiGe Namen für Sicherheitslücken zu bekommen 🥰

https://www.golem.de/news/tootroot-mastodon-instanzen-liessen-sich-durch-spezielle-toots-kapern-2307-175646.html

#TootRoot #VulnerabilityManagement #ThankYourAdmins #CVE202336460

Tootroot: Mastodon-Instanzen ließen sich durch spezielle Toots kapern - Golem.de

Durch eine Tootroot genannte Sicherheitslücke konnten Hacker ganze Mastodon-Instanzen übernehmen und Root-Zugriff auf den Servern erlangen.

Golem.de

wakest likes your bugs ⁂Jul 7, 2023

Check in with your admins and server operators and make sure your instance is upgraded!

"Using carefully crafted media files, attackers can cause Mastodon's media processing code to create arbitrary files at any location"

https://github.com/mastodon/mastodon/security/advisories/GHSA-9928-3cp5-93fm
#CVE202336460

Arbitrary file creation through media attachments

(This advisory describes an issue found by Cure53 as part of an audit performed at Mozilla's request) Using carefully crafted media files, attackers can cause Mastodon's media processing code to...

GitHub

Show thread

Nakeva C.Jul 6, 2023

@dangoodin I found the patching/version update info, if you didn't already see it: https://github.com/mastodon/mastodon/releases/tag/v4.1.3

#CVE202336460 #TootRoot

Release v4.1.3 · mastodon/mastodon

⚠️ This release is an important security release fixing multiple critical security issues (CVE-2023-36460, CVE-2023-36459). Corresponding security releases are available for the 4.0.x branch and th...

GitHub

cibyr Jul 6, 2023

Seems like you can have a rootin' tootin' good time with #CVE202336460
HT @GossiTheDog

Kevin Beaumont Jul 6, 2023

For anybody wondering what the Mastodon security issue is - CVE-2023-36460, you can send a toot which makes a webshell on instances that process said toot. #CVE202336460 #TootRoot