CVE-2023-36462

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-36462
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-36462.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-36462
Aliases
Published
2023-07-06T19:16:37.617Z
Modified
2026-02-06T22:54:31.057826Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Mastodon's verified profile links can be formatted in a misleading way
Details

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appear to link to a different URL altogether. The link is visually misleading, but clicking on it will reveal the actual link. This can still be used for phishing, though, similar to IDN homograph attacks. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/36xxx/CVE-2023-36462.json",
    "cwe_ids": [
        "CWE-20"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/mastodon/mastodon

Affected ranges

Type
GIT
Repo
https://github.com/mastodon/mastodon
Events
Introduced
50ce347ef96690767b21ee01d6a785166c583b6b
Fixed
b10c974ba1952c545acff505bfd36feb0c60b000
Database specific 
{
    "versions": [
        {
            "introduced": "2.6.0"
        },
        {
            "fixed": "3.5.9"
        }
    ]
}
Type
GIT
Repo
https://github.com/mastodon/mastodon
Events
Introduced
fb389bd73c8a4bc2924496f6041c8eee27572d21
Fixed
8d7f6550f91338fb69e5c6e0cd28653122784665
Database specific 
{
    "versions": [
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.0.5"
        }
    ]
}
Type
GIT
Repo
https://github.com/mastodon/mastodon
Events
Introduced
61c5dfb9295ea66c376c452a7ef7379e8c562416
Fixed
0d5781ca7609590a6d5340bb685bb1804056bb46
Database specific 
{
    "versions": [
        {
            "introduced": "4.1.0"
        },
        {
            "fixed": "4.1.3"
        }
    ]
}

Affected versions

v2.*
v2.6.0
v2.6.1
v2.7.0
v2.7.0rc1
v2.7.0rc2
v2.7.0rc3
v2.7.1
v2.8.0
v2.8.0rc1
v2.8.0rc2
v2.8.0rc3
v2.8.1
v2.8.2
v2.9.0
v2.9.0rc1
v2.9.0rc2
v2.9.1
v2.9.2
v3.*
v3.0.0
v3.0.0rc1
v3.0.0rc2
v3.0.0rc3
v3.0.1
v3.1.0
v3.1.0rc1
v3.1.0rc2
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.2.0
v3.2.0rc1
v3.2.0rc2
v3.3.0
v3.3.0rc1
v3.3.0rc2
v3.3.0rc3
v3.4.0
v3.4.0rc1
v3.4.0rc2
v3.4.1
v3.5.0
v3.5.0rc1
v3.5.0rc2
v3.5.0rc3
v3.5.1
v3.5.2
v3.5.3
v3.5.4
v3.5.5
v3.5.6
v3.5.7
v3.5.8
v4.*
v4.0.0
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.1.0
v4.1.1
v4.1.2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-36462.json"

Git / github.com/tootsuite/mastodon

Affected ranges

Type
GIT
Repo
https://github.com/tootsuite/mastodon
Events
Introduced
61c5dfb9295ea66c376c452a7ef7379e8c562416
Fixed
0d5781ca7609590a6d5340bb685bb1804056bb46
Introduced
fb389bd73c8a4bc2924496f6041c8eee27572d21
Fixed
8d7f6550f91338fb69e5c6e0cd28653122784665
Introduced
50ce347ef96690767b21ee01d6a785166c583b6b
Fixed
b10c974ba1952c545acff505bfd36feb0c60b000

Affected versions

v2.*
v2.6.0
v2.6.1
v2.7.0
v2.7.0rc1
v2.7.0rc2
v2.7.0rc3
v2.7.1
v2.8.0
v2.8.0rc1
v2.8.0rc2
v2.8.0rc3
v2.8.1
v2.8.2
v2.9.0
v2.9.0rc1
v2.9.0rc2
v2.9.1
v2.9.2
v3.*
v3.0.0
v3.0.0rc1
v3.0.0rc2
v3.0.0rc3
v3.0.1
v3.1.0
v3.1.0rc1
v3.1.0rc2
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.2.0
v3.2.0rc1
v3.2.0rc2
v3.3.0
v3.3.0rc1
v3.3.0rc2
v3.3.0rc3
v3.4.0
v3.4.0rc1
v3.4.0rc2
v3.4.1
v3.5.0
v3.5.0rc1
v3.5.0rc2
v3.5.0rc3
v3.5.1
v3.5.2
v3.5.3
v3.5.4
v3.5.5
v3.5.6
v3.5.7
v3.5.8
v4.*
v4.0.0
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.1.0
v4.1.1
v4.1.2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-36462.json"