This vulnerability is presently awaiting analysis.
Mastodon is simply a free, open-source societal web server based connected ActivityPub. In versions connected the 4.x subdivision anterior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, nether definite conditions, attackers tin maltreatment the translation diagnostic to bypass the server-side HTML sanitization, allowing unescaped HTML to execute successful the browser. The interaction is constricted acknowledgment to Mastodon's strict Content Security Policy, blocking inline scripts, etc. However a CSP bypass oregon loophole could beryllium exploited to execute malicious XSS. Furthermore, it requires idiosyncratic interaction, arsenic this tin lone hap upon clicking the “Translate” fastener connected a malicious post. Versions 4.0.10, 4.2.8, and 4.2.0-rc2 incorporate a spot for this issue.
CVE Dictionary Entry:
NVD Published Date:
NVD Last Modified: