pkg:Bitnami/mastodon

共 41 筆 CVECRITICAL4HIGH10MEDIUM21LOW2

✅ 檢查你的版本

所有已知漏洞

CRITICAL9.9CVE-2023-36460Mastodon vulnerable to arbitrary file creation through media attachments
>= 3.5.0, < 3.5.9, >= 4.0.0, < 4.0.5, >= 4.1.0, < 4.1.3
CRITICAL9.8CVE-2022-2166Improper Restriction of Excessive Authentication Attempts in mastodon/mastodon
from 0, < 3.5.6
CRITICAL9.8CVE-2022-24307Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities.
from 0, < 3.3.2, >= 3.4.0, < 3.4.6
CRITICAL9.8CVE-2024-23832Mastodon Remote user impersonation and takeover
from 0, < 3.5.17, >= 4.0.0, < 4.0.13, >= 4.1.0, < 4.1.13, >= 4.2.0, < 4.2.5
HIGH8.2CVE-2024-37903Mastodon has improper authorship check on audience extension for existing posts
>= 2.6.0, < 4.1.18, >= 4.2.0, < 4.2.10
HIGH7.7CVE-2024-25623Lack of media type verification of Activity Streams objects allows impersonation of remote accounts
from 0, < 3.5.19, >= 4.0.0, < 4.0.15, >= 4.1.0, < 4.1.15, >= 4.2.0, < 4.2.7
HIGH7.5CVE-2026-23962Mastodon vulnerable to Denial of Service from a single post (client/server)
from 0, < 4.3.18, >= 4.4.0, < 4.4.12, >= 4.5.0, < 4.5.5
HIGH7.5CVE-2025-54879Mastodon e‑mail throttle misconfiguration allows unlimited email confirmations against unconfirmed emails
>= 3.1.5, < 4.2.24, >= 4.3.0, < 4.3.11, >= 4.4.0, < 4.4.3
HIGH7.5CVE-2023-49952Mastodon 4.1.x before 4.1.17 and 4.2.x before 4.2.9 allows a bypass of rate limiting via a crafted HTTP request header.
>= 4.1.0, < 4.1.17, >= 4.2.0, < 4.2.9
HIGH7.5CVE-2022-46405Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attack…
from 0, < 4.0.3
HIGH7.5CVE-2023-36461Mastodon vulnerable to Denial of Service through slow HTTP responses
from 0, < 3.5.9, >= 4.0.0, < 4.0.5, >= 4.1.0, < 4.1.3
HIGH7.5CVE-2023-42450Mastodon Server-Side Request Forgery vulnerability
>= 4.2.0-beta1, < 4.2.0, >= 4.2.0-beta2, < 4.2.0, >= 4.2.0-beta3, < 4.2.0, >= 4.2.0-rc1, < 4.2.0
HIGH7.5CVE-2023-42451Mastodon Invalid Domain Name Normalization vulnerability
from 0, < 3.5.14, >= 4.0.0, < 4.0.10, >= 4.1.0, < 4.1.8
HIGH7.4CVE-2024-25618External OpenID Connect Account Takeover by E-Mail Change in mastodon
from 0, < 3.5.18, >= 4.0.0, < 4.0.14, >= 4.1.0, < 4.1.14, >= 4.2.0, < 4.2.6
MEDIUM6.5CVE-2026-25540Mastodon's signature-dependent ActivityPub collection responses cached under signature-independent keys (Web Cache Poisoning via `Rails.cache`)
from 0, < 4.5.6
MEDIUM6.5CVE-2026-23963Mastodon missing length limits on list names, filter names, and filter keywords
from 0, < 4.3.18, >= 4.4.0, < 4.4.12, >= 4.5.0, < 4.5.5
MEDIUM6.5CVE-2023-28853Mastodon's blind LDAP injection in login allows the attacker to leak arbitrary attributes from LDAP database
>= 2.5.0, < 3.5.8, >= 4.0.0, < 4.0.4, >= 4.1.0, < 4.1.2
MEDIUM6.1CVE-2026-33868Mastodon has a GET-Based Open Redirect via '/web/%2F<domain>'
from 0, < 4.3.21, >= 4.4.0, < 4.4.15, >= 4.5.0, < 4.5.8
MEDIUM6.1CVE-2022-0432Prototype Pollution in mastodon/mastodon
from 0, < 3.5.0
MEDIUM6.1CVE-2023-36459Mastodon vulnerable to Cross-site Scripting through oEmbed preview cards
>= 1.3.0, < 3.5.9, >= 4.0.0, < 4.0.5, >= 4.1.0, < 4.1.3
MEDIUM5.9CVE-2024-34535In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header.
from 0, < 4.2.9
MEDIUM5.4CVE-2026-23964Mastodon has insufficient access control to push notification settings
from 0, < 4.3.18, >= 4.4.0, < 4.4.12, >= 4.5.0, < 4.5.5
MEDIUM5.4CVE-2023-36462Mastodon's verified profile links can be formatted in a misleading way
>= 2.6.0, < 3.5.9, >= 4.0.0, < 4.0.5, >= 4.1.0, < 4.1.3
MEDIUM5.4CVE-2023-42452Mastodon vulnerable to Stored XSS through the translation feature
>= 4.0.0, < 4.0.10, >= 4.1.0, < 4.1.8
MEDIUM5.3CVE-2026-23961Mastodon may allow a remote suspension bypass
from 0, < 4.3.18, >= 4.4.0, < 4.4.12, >= 4.5.0, < 4.5.5
MEDIUM5.3CVE-2025-27157Mastodon's rate-limits are missing on `/auth/setup`
>= 4.2.0, < 4.3.4
MEDIUM5.3CVE-2025-27399Mastodon's domain blocks & rationales ignore user approval when visibility set as "users"
from 0, < 4.3.4
MEDIUM5.3CVE-2022-31263app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions.
from 0, < 3.5.0
MEDIUM4.8CVE-2026-33869Mastodon has a denial of service for quote authorization
>= 4.4.0, < 4.4.15, >= 4.5.0, < 4.5.8
MEDIUM4.3CVE-2026-22246Local Mastodon users can enumerate and access severed relationships of every other local user
from 0, < 4.3.17, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.4
MEDIUM4.3CVE-2025-62605Mastodon quotes control can be bypassed
>= 4.4.0, < 4.4.8
MEDIUM4.3CVE-2025-62176Mastadon streaming server allows OAuth clients without the `read` scope to subscribe to public channels
from 0, < 4.2.27, >= 4.3.0, < 4.3.14, >= 4.4.0, < 4.4.6
MEDIUM4.3CVE-2025-62175Mastodon streaming API fails to disconnect disabled and suspended users
from 0, < 4.2.27, >= 4.3.0, < 4.3.14, >= 4.4.0, < 4.4.6
MEDIUM4.3CVE-2024-25619Destroying OAuth Applications doesn't notify Streaming of Access Tokens being destroyed in mastodon
from 0, < 4.2.6
MEDIUM4.3CVE-2022-48364The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server…
>= 3.5.0, < 3.5.3
LOW3.7CVE-2025-67500Mastodon Error Handling Discrepancy Enables Private Status Existence Enumeration
from 0, < 4.2.28, >= 4.3.0, < 4.3.15, >= 4.4.0, < 4.4.10
LOW3.5CVE-2025-62174Mastodon allows continued access after password reset via CLI
from 0, < 4.2.27, >= 4.3.0, < 4.3.14, >= 4.4.0, < 4.4.6
—CVE-2026-41259Mastodon: Insufficient verification of email addresses
from 0, < 4.3.22, >= 4.4.0, < 4.4.16, >= 4.5.0, < 4.5.9
—CVE-2026-27477Mastodon has SSRF via unvalidated FASP Provider base_url
>= 4.4.0, < 4.4.14, >= 4.5.0, < 4.5.7
—CVE-2026-27468Mastodon may allow unconfirmed FASP to make subscriptions
>= 4.4.0, < 4.4.14, >= 4.5.0, < 4.5.7
—CVE-2026-22245Mastodon has SSRF Protection bypass
from 0, < 4.2.29, >= 4.3.0, < 4.3.17, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.4