As a result, a remote attacker could utilize a maliciously crafted activity to access data in your app, causing a potential security risk. To avoid this, update Mastodon to version 3.4.6, 3.4.7, 3.4.8, or 3.5.0 as soon as possible.
Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.) As a result, a remote attacker could utilize a maliciously crafted activity to access data in your app, causing a potential security risk. To avoid this, update Mastodon to version 3.4.6, 3.4.7, 3.4.8, or 3.5.0 as soon as possible. Unverified public profile fields can be accessed by remote attackers. (Public profile fields were added in version 2.0.0.)
Mastodon before 3.3.2 and 3.4.x before 3.4.6 does not have proper access control for public profile fields. As a result, remote attackers could access publicly visible private data. To avoid this, update Mastodon to version 3.4.6, 3.4.7, 3.4.8, or 3.5.0 as soon as possible. Unverified public profile
Version 3.3.2 and above
Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.) As a result, a remote attacker could utilize a maliciously crafted activity to access data in your app, causing a potential security risk. To avoid this, update Mastodon to version 3.4.6, 3.4.7, or 3.5.0 as soon as possible for improved security and protection against malware attacks on your site.
Timeline
Published on: 02/03/2022 20:15:00 UTC
Last modified on: 02/09/2022 15:02:00 UTC