From @MentalOutlaw:

In this video I discuss the recent security updates to Mastodon to fix critical security vulnerabilities that allowed for cross site scripting through oEmbed preview cards (CVE-2023-36459) and Arbitrary file creation through media attachments (CVE-2023-36460 AKA TootRoot) make sure the Mastodon instance you're using is on version 4.1.3 or later.

https://odysee.com/@AlphaNerd:8/mastodon-had-a-critical-security:5?r=5dSbLhamtNqgjc7Tj7jf54M4v1DZjbTD

#mastodon #fediverse #admin #cve #cve202336459 #cve202336460 #patch

And the prize for the funniest name of a security vulnerability goes to: Tootroot! 🎉
(CVE-2023-36460)

#Tootroot #security #Mastodon #CVE202336460

Endlich ist Mastodon mainstream genug, um auch lUsTiGe Namen für Sicherheitslücken zu bekommen 🥰

https://www.golem.de/news/tootroot-mastodon-instanzen-liessen-sich-durch-spezielle-toots-kapern-2307-175646.html

#TootRoot #VulnerabilityManagement #ThankYourAdmins #CVE202336460

Check in with your admins and server operators and make sure your instance is upgraded!

"Using carefully crafted media files, attackers can cause Mastodon's media processing code to create arbitrary files at any location"

https://github.com/mastodon/mastodon/security/advisories/GHSA-9928-3cp5-93fm
#CVE202336460

Seems like you can have a rootin' tootin' good time with #CVE202336460
HT @GossiTheDog

For anybody wondering what the Mastodon security issue is - CVE-2023-36460, you can send a toot which makes a webshell on instances that process it. #CVE202336460