Mastodon Password Reset Vulnerability Allows Session Hijacking
Vulnerability
A vulnerability exists in Mastodon versions prior to 4.4.6, 4.3.14, and 4.2.27, where resetting a user's password via the command-line interface does not revoke active sessions or access tokens. This oversight enables an attacker with a compromised session or token to continue accessing the account after the password has been changed. The issue has been addressed in the mentioned patched versions.
Impact
The vulnerability allows continued access to a user's account through active sessions or tokens, even after a password reset, potentially leading to unauthorized actions or access to sensitive information.
Reproduction
To reproduce this vulnerability, an administrator can reset a user's password using the command-line interface option '--reset-password'. After the password is reset, any active sessions or access tokens for that user will remain valid, allowing continued access to the account.
Remediation
Users can update to Mastodon versions 4.4.6, 4.3.14, or 4.2.27 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.