CRITICAL9.9CVE-2023-36460Mastodon vulnerable to arbitrary file creation through media attachments >= 3.5.0, < 3.5.9, >= 4.0.0, < 4.0.5, >= 4.1.0, < 4.1.3
CRITICAL9.8CVE-2022-2166Improper Restriction of Excessive Authentication Attempts in mastodon/mastodon from 0, < 3.5.6
CRITICAL9.8Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities.
from 0, < 3.3.2, >= 3.4.0, < 3.4.6
CRITICAL9.8Mastodon Remote user impersonation and takeover
from 0, < 3.5.17, >= 4.0.0, < 4.0.13, >= 4.1.0, < 4.1.13, >= 4.2.0, < 4.2.5
HIGH8.2Mastodon has improper authorship check on audience extension for existing posts
>= 2.6.0, < 4.1.18, >= 4.2.0, < 4.2.10
HIGH7.7Lack of media type verification of Activity Streams objects allows impersonation of remote accounts
from 0, < 3.5.19, >= 4.0.0, < 4.0.15, >= 4.1.0, < 4.1.15, >= 4.2.0, < 4.2.7
HIGH7.5Mastodon vulnerable to Denial of Service from a single post (client/server)
from 0, < 4.3.18, >= 4.4.0, < 4.4.12, >= 4.5.0, < 4.5.5
HIGH7.5Mastodon e‑mail throttle misconfiguration allows unlimited email confirmations against unconfirmed emails
>= 3.1.5, < 4.2.24, >= 4.3.0, < 4.3.11, >= 4.4.0, < 4.4.3
HIGH7.5Mastodon 4.1.x before 4.1.17 and 4.2.x before 4.2.9 allows a bypass of rate limiting via a crafted HTTP request header.
>= 4.1.0, < 4.1.17, >= 4.2.0, < 4.2.9
HIGH7.5Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attack…
from 0, < 4.0.3
HIGH7.5Mastodon vulnerable to Denial of Service through slow HTTP responses
from 0, < 3.5.9, >= 4.0.0, < 4.0.5, >= 4.1.0, < 4.1.3
HIGH7.5Mastodon Server-Side Request Forgery vulnerability
>= 4.2.0-beta1, < 4.2.0, >= 4.2.0-beta2, < 4.2.0, >= 4.2.0-beta3, < 4.2.0, >= 4.2.0-rc1, < 4.2.0
HIGH7.5Mastodon Invalid Domain Name Normalization vulnerability
from 0, < 3.5.14, >= 4.0.0, < 4.0.10, >= 4.1.0, < 4.1.8
HIGH7.4External OpenID Connect Account Takeover by E-Mail Change in mastodon
from 0, < 3.5.18, >= 4.0.0, < 4.0.14, >= 4.1.0, < 4.1.14, >= 4.2.0, < 4.2.6
MEDIUM6.5Mastodon's signature-dependent ActivityPub collection responses cached under signature-independent keys (Web Cache Poisoning via `Rails.cache`)
from 0, < 4.5.6
MEDIUM6.5Mastodon missing length limits on list names, filter names, and filter keywords
from 0, < 4.3.18, >= 4.4.0, < 4.4.12, >= 4.5.0, < 4.5.5
MEDIUM6.5Mastodon's blind LDAP injection in login allows the attacker to leak arbitrary attributes from LDAP database
>= 2.5.0, < 3.5.8, >= 4.0.0, < 4.0.4, >= 4.1.0, < 4.1.2
MEDIUM6.1Mastodon has a GET-Based Open Redirect via '/web/%2F<domain>'
from 0, < 4.3.21, >= 4.4.0, < 4.4.15, >= 4.5.0, < 4.5.8
MEDIUM6.1Prototype Pollution in mastodon/mastodon
from 0, < 3.5.0
MEDIUM6.1Mastodon vulnerable to Cross-site Scripting through oEmbed preview cards
>= 1.3.0, < 3.5.9, >= 4.0.0, < 4.0.5, >= 4.1.0, < 4.1.3
MEDIUM5.9In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header.
from 0, < 4.2.9
MEDIUM5.4Mastodon has insufficient access control to push notification settings
from 0, < 4.3.18, >= 4.4.0, < 4.4.12, >= 4.5.0, < 4.5.5
MEDIUM5.4Mastodon's verified profile links can be formatted in a misleading way
>= 2.6.0, < 3.5.9, >= 4.0.0, < 4.0.5, >= 4.1.0, < 4.1.3
MEDIUM5.4Mastodon vulnerable to Stored XSS through the translation feature
>= 4.0.0, < 4.0.10, >= 4.1.0, < 4.1.8
MEDIUM5.3Mastodon may allow a remote suspension bypass
from 0, < 4.3.18, >= 4.4.0, < 4.4.12, >= 4.5.0, < 4.5.5
MEDIUM5.3Mastodon's rate-limits are missing on `/auth/setup`
>= 4.2.0, < 4.3.4
MEDIUM5.3Mastodon's domain blocks & rationales ignore user approval when visibility set as "users"
from 0, < 4.3.4
MEDIUM5.3app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions.
from 0, < 3.5.0
MEDIUM4.8Mastodon has a denial of service for quote authorization
>= 4.4.0, < 4.4.15, >= 4.5.0, < 4.5.8
MEDIUM4.3Local Mastodon users can enumerate and access severed relationships of every other local user
from 0, < 4.3.17, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.4
MEDIUM4.3Mastodon quotes control can be bypassed
>= 4.4.0, < 4.4.8
MEDIUM4.3Mastadon streaming server allows OAuth clients without the `read` scope to subscribe to public channels
from 0, < 4.2.27, >= 4.3.0, < 4.3.14, >= 4.4.0, < 4.4.6
MEDIUM4.3Mastodon streaming API fails to disconnect disabled and suspended users
from 0, < 4.2.27, >= 4.3.0, < 4.3.14, >= 4.4.0, < 4.4.6
MEDIUM4.3Destroying OAuth Applications doesn't notify Streaming of Access Tokens being destroyed in mastodon
from 0, < 4.2.6
MEDIUM4.3The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server…
>= 3.5.0, < 3.5.3
LOW3.7Mastodon Error Handling Discrepancy Enables Private Status Existence Enumeration
from 0, < 4.2.28, >= 4.3.0, < 4.3.15, >= 4.4.0, < 4.4.10
LOW3.5Mastodon allows continued access after password reset via CLI
from 0, < 4.2.27, >= 4.3.0, < 4.3.14, >= 4.4.0, < 4.4.6
—Mastodon: Insufficient verification of email addresses
from 0, < 4.3.22, >= 4.4.0, < 4.4.16, >= 4.5.0, < 4.5.9
—Mastodon has SSRF via unvalidated FASP Provider base_url
>= 4.4.0, < 4.4.14, >= 4.5.0, < 4.5.7
—Mastodon may allow unconfirmed FASP to make subscriptions
>= 4.4.0, < 4.4.14, >= 4.5.0, < 4.5.7
—Mastodon has SSRF Protection bypass
from 0, < 4.2.29, >= 4.3.0, < 4.3.17, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.4