Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://digipres.club/users/ryanfb/statuses/112146904149736275">Ryan Baumann (ryanfb@digipres.club)'s status on Sunday, 24-Mar-2024 05:43:33 JST</a><a href="https://digipres.club/@ryanfb" title="ryanfb@digipres.club"><img src="https://gnusocial.jp/avatar/166266-48-20230901151118.webp" width="48" height="48" alt="Ryan Baumann" style="position: absolute; left: 0; top: 0;">Ryan Baumann</a></section><article><p>I don't know who needs to hear this but <a href="https://digipres.club/tags/TruthSocial" rel="tag">#TruthSocial</a>, which is running a forked version of Mastodon, does not from the source code appear to have appropriate mitigations in place for CVE-2023-36460, which theoretically allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-36460" rel="nofollow noreferrer">https://nvd.nist.gov/vuln/detail/CVE-2023-36460</a> (probably other CVE's as well, but some rely on federation which Truth Social doesn't use?) <a href="https://digipres.club/tags/infosec" rel="tag">#infosec</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2857228#notice-5675009">In conversation</a><time datetime="2024-03-24T05:43:33+09:00" title="Sunday, 24-Mar-2024 05:43:33 JST">about a year ago</time> <span>from <span><a href="https://digipres.club/@ryanfb/112146904149736275" rel="external" title="Sent from digipres.club via ActivityPub">digipres.club</a></span></span><a href="https://digipres.club/@ryanfb/112146904149736275">permalink</a><h4>Attachments</h4><ol><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-36460">NVD - CVE-2023-36460</a></h5><div></div></header><div></div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Ryan Baumann (ryanfb@digipres.club)'s status on Sunday, 24-Mar-2024 05:43:33 JST Ryan Baumann
I don't know who needs to hear this but #TruthSocial, which is running a forked version of Mastodon, does not from the source code appear to have appropriate mitigations in place for CVE-2023-36460, which theoretically allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution https://nvd.nist.gov/vuln/detail/CVE-2023-36460 (probably other CVE's as well, but some rely on federation which Truth Social doesn't use?) #infosec
In conversationabout a year ago from digipres.clubpermalink
Attachments
1. No result found on File_thumbnail lookup.
  NVD - CVE-2023-36460

Public

Embed Notice

HTML Code

Corresponding Notice