{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "4.0.0" }, { "fixed": "4.0.10" } ] }, "events": [ { "introduced": "fb389bd73c8a4bc2924496f6041c8eee27572d21" }, { "fixed": "3d8ae6ab739ab1222546923c8df703260285fbc3" } ], "repo": "https://github.com/mastodon/mastodon", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "4.1.0" }, { "fixed": "4.1.8" } ] }, "events": [ { "introduced": "61c5dfb9295ea66c376c452a7ef7379e8c562416" }, { "fixed": "46bd58f74d11591a0180319285b0c79b2212ef69" } ], "repo": "https://github.com/mastodon/mastodon", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "4.2.0-beta1" }, { "fixed": "4.2.0-rc2" } ] }, "events": [ { "introduced": "dab54ccbba3721382241725bb1c1159d24b5aab2" }, { "fixed": "f4b780ba22d0256770766185cee5f8fcc5585c95" } ], "repo": "https://github.com/mastodon/mastodon", "type": "GIT" } ] }, { "ranges": [ { "database_specific": { "versions": [ { "introduced": "4.0.0" }, { "fixed": "4.0.10" }, { "introduced": "4.1.0" }, { "fixed": "4.1.8" }, { "introduced": "0" }, { "last_affected": "4.2.0-beta1" }, { "introduced": "0" }, { "last_affected": "4.2.0-beta2" }, { "introduced": "0" }, { "last_affected": "4.2.0-beta3" }, { "introduced": "0" }, { "last_affected": "4.2.0-rc1" } ] }, "events": [ { "introduced": "fb389bd73c8a4bc2924496f6041c8eee27572d21" }, { "fixed": "3d8ae6ab739ab1222546923c8df703260285fbc3" }, { "introduced": "61c5dfb9295ea66c376c452a7ef7379e8c562416" }, { "fixed": "46bd58f74d11591a0180319285b0c79b2212ef69" }, { "introduced": "0" }, { "last_affected": "dab54ccbba3721382241725bb1c1159d24b5aab2" }, { "introduced": "0" }, { "last_affected": "facfec1ba36cee27f232ebff90b990933719235a" }, { "introduced": "0" }, { "last_affected": "f80f426c57d5a5e1d289372ef7c323741d27c768" }, { "introduced": "0" }, { "last_affected": "b90383d07388fe8513e59a6deb1a2391146c6561" } ], "repo": "https://github.com/tootsuite/mastodon", "type": "GIT" } ] } ], "aliases": [ "GHSA-2693-xr3m-jhqr" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-79" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/42xxx/CVE-2023-42452.json" }, "details": "Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing unescaped HTML to execute in the browser. The impact is limited thanks to Mastodon's strict Content Security Policy, blocking inline scripts, etc. However a CSP bypass or loophole could be exploited to execute malicious XSS. Furthermore, it requires user interaction, as this can only occur upon clicking the “Translate” button on a malicious post. Versions 4.0.10, 4.2.8, and 4.2.0-rc2 contain a patch for this issue.", "id": "CVE-2023-42452", "modified": "2026-04-01T23:09:07.976552474Z", "published": "2023-09-19T15:58:44.559Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/42xxx/CVE-2023-42452.json" }, { "type": "ADVISORY", "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-2693-xr3m-jhqr" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42452" }, { "type": "FIX", "url": "https://github.com/mastodon/mastodon/commit/ff32475f5f4a84ebf9619e7eef5bf8b4c075d0e2" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "type": "CVSS_V3" } ], "summary": "Mastodon vulnerable to Stored XSS through the translation feature" }