19

(URGENT) Lemmy has an XSS vulnerability in the sidebar (slrpnk.net)

submitted 1 year ago by j_roby@slrpnk.net to c/meta@slrpnk.net

3 comments fedilink hide all child comments

cross-posted from: https://sh.itjust.works/post/923025

lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

top 3 comments

sorted by: hot top controversial new old

[-] j_roby@slrpnk.net 8 points 1 year ago

I just saw this on my feed. It's above my pay grade, but seemed urgent enough to cross post here

[-] j_roby@slrpnk.net 4 points 1 year ago

More info here:

https://lemmy.ml/post/1895271

[-] poVoq@slrpnk.net 5 points 1 year ago

I applied the mitigations and unvalidated all login tokens.

As far as I can tell slrpnk.net was not directly effected though.

this post was submitted on 10 Jul 2023

19 points (95.2% liked)

Meta (slrpnk.net)

505 readers

1 users here now

Here we can discuss anything about this Lemmy instance/server itself.

Our XMPP support chat: Movim or XMPP client.

Please also refer to our Wiki

founded 2 years ago

MODERATORS

poVoq@slrpnk.net

Five@slrpnk.net

ProdigalFrog@slrpnk.net