CVE-2023-36462: 
NixOS vulnerability analysis and mitigation

Mastodon, a free, open-source social network server based on ActivityPub, was found to contain a vulnerability (CVE-2023-36462) that affects versions from 2.6.0 up to versions 3.5.9, 4.0.5, and 4.1.3. The vulnerability was discovered and disclosed in July 2023, allowing attackers to manipulate verified profile links in a way that could be used for phishing attacks (GitHub Advisory, NVD).

The vulnerability allows an attacker to craft a verified profile link using specific formatting to conceal arbitrary parts of the link, making it appear to link to a different URL altogether. While clicking the link would reveal its actual destination, the visual deception could be exploited similarly to IDN homograph attacks. The vulnerability has been assigned a CVSS v3.1 score of 5.4 (Medium), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N (GitHub Advisory).

The primary impact of this vulnerability is the potential for phishing attacks through misleading verified profile links. While the actual link destination is revealed upon clicking, the visual deception could be used to trick users into believing they are interacting with legitimate profiles or resources (GitHub Advisory).

The vulnerability has been patched in Mastodon versions 3.5.9, 4.0.5, and 4.1.3. Users are advised to upgrade to these or newer versions to mitigate the risk. The fix includes changes to how verified profile links are handled and displayed (GitHub Release, GitHub Release, GitHub Release).