{"uuid": "c7fc4b39-1fcb-43fd-843d-ff67cd45ae6c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-42452", "type": "seen", "source": "https://t.me/cibsecurity/70741", "content": "\u203c CVE-2023-42452 \u203c\n\nMastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing unescaped HTML to execute in the browser. The impact is limited thanks to Mastodon's strict Content Security Policy, blocking inline scripts, etc. However a CSP bypass or loophole could be exploited to execute malicious XSS. Furthermore, it requires user interaction, as this can only occur upon clicking the \u00e2\u20ac\u0153Translate\u00e2\u20ac\ufffd button on a malicious post. Versions 4.0.10, 4.2.8, and 4.2.0-rc2 contain a patch for this issue.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-09-19T20:34:34.000000Z"}