Summary
Mastodon allows users to ignore or filter private mentions from non-followers, with an exception for replies to private mentions initiated by the user. However, the implementation of that exception was incorrect, allowing attackers to send Private Mentions to people with whom they have no follow relationships.
Impact
This vulnerability allows bypassing some of Mastodon's filtering capabilities, so it can be used for spam or harassment, but the impact is limited as other filtering capabilities such as blocks, mutes, and word filters are unaffected.
ClearlyClaire Reporter
Summary
Mastodon allows users to ignore or filter private mentions from non-followers, with an exception for replies to private mentions initiated by the user. However, the implementation of that exception was incorrect, allowing attackers to send Private Mentions to people with whom they have no follow relationships.
Impact
This vulnerability allows bypassing some of Mastodon's filtering capabilities, so it can be used for spam or harassment, but the impact is limited as other filtering capabilities such as blocks, mutes, and word filters are unaffected.