(This advisory describes an issue found by Cure53 as part of an audit performed at Mozilla's request)

Using carefully crafted oEmbed data, an attacker can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards.

Impact

This introduces a vector for Cross-site-scripting (XSS) payloads that can be rendered in the user's browser when a preview card for a malicious link is clicked through.