AlternateRoute@lemmy.ca to Lemmy.ca's Main Community@lemmy.caEnglish · 2 years ago

(URGENT) Lemmy has an XSS vulnerability in the sidebar

94

(URGENT) Lemmy has an XSS vulnerability in the sidebar

AlternateRoute@lemmy.ca to Lemmy.ca's Main Community@lemmy.caEnglish · 2 years ago

cross-posted from: https://sh.itjust.works/post/923025

lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

Chat

ChemicalRascal@kbin.social
link
fedilink
arrow-up
1·
2 years ago
That would essentially be patching the vulnerability. A temporary fix would be just preventing the sidebar from being editable.

(Ideally the vulnerability would be patched, but these things take time.)

Lemmy.ca's Main Community@lemmy.ca

You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: [email protected]

Welcome to the lemmy.ca/c/main community!

All new users on lemmy.ca are automatically subscribed to this community, so this is the place to read announcements, make suggestions, and chat about the goings-on of lemmy.ca.

For support requests specific to lemmy.ca, you can use [email protected].

Visibility: Public

This community can be federated to other instances and be posted/commented in by their users.

8 users / day
92 users / week
684 users / month
1.67K users / 6 months
2 local subscribers
3.25K subscribers
260 Posts
2.94K Comments
Modlog