commit: e39408e0f5feb338221e6c17b1a3b739075e2414
parent 86e63b0908adb866f8c9c464a18b29230e3447d8
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date: Thu, 15 Feb 2024 23:38:55 +0100
bookmarks: CVE-2024-23832
Diffstat:
1 file changed, 8 insertions(+), 0 deletions(-)
diff --git a/bookmarks.xbel b/bookmarks.xbel
@@ -114,6 +114,14 @@
<bookmark href="https://skarnet.org/software/nsss/nsswitch.html"><title>nsss: the problem with nsswitch</title></bookmark>
<bookmark href="https://research.swtch.com/openssl"><title>Lessons from the Debian/OpenSSL Fiasco</title></bookmark>
<bookmark href="https://adnanthekhan.com/2023/12/20/one-supply-chain-attack-to-rule-them-all/"><title>One Supply Chain Attack to Rule Them All – Poisoning GitHub’s Runner Images</title></bookmark>
+ <bookmark href="https://arcanican.is/excerpts/cve-2024-23832/discovery.htm">
+ <title>Remote User Impersonation and Takeover via Cache Poisoning</title>
+ <desc>Writeup by the security issue finder on CVE-2024-23832 fixed in Mastodon 4.2.5 (2024-02-01)</desc>
+ </bookmark>
+ <bookmark href="https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw">
+ <title>Remote user impersonation and takeover</title>
+ <desc>Technical explainations on CVE-2024-23832 fixed in Mastodon 4.2.5 (2024-02-01), TL;DR: There was no Containment of the provided URL serving as an "id" against the message own "id", Mastodon would just trust whatever was in the message.</desc>
+ </bookmark>
</folder>
<folder>