Meta (slrpnk.net)

602 readers

18 users here now

Here we can discuss anything about this Lemmy instance/server itself.

Our XMPP support chat: Movim or XMPP client.

Please also refer to our Wiki

founded 2 years ago

MODERATORS

poVoq

Five

ProdigalFrog

(URGENT) Lemmy has an XSS vulnerability in the sidebar (self.meta)

submitted 1 year ago by j_roby to c/meta

3 comments fedilink hide all child comments

cross-posted from: https://sh.itjust.works/post/923025

lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

top 3 comments

sorted by: hot top controversial new old

[–] j_roby 8 points 1 year ago (1 children)

I just saw this on my feed. It's above my pay grade, but seemed urgent enough to cross post here

[–] j_roby 4 points 1 year ago

More info here:

https://lemmy.ml/post/1895271

[–] poVoq 5 points 1 year ago

I applied the mitigations and unvalidated all login tokens.

As far as I can tell slrpnk.net was not directly effected though.