Looks like there are other potential vulnerabilities which makes this issue worse. Possibly CSRF? https://github.com/LemmyNet/lemmy/issues/3505
this post was submitted on 06 Jul 2023
20 points (95.5% liked)
Discussions related to Infosec.pub
1123 readers
1 users here now
founded 1 year ago
MODERATORS
Hits a 404 now on the link (sh.itjust.works link above), does anyone have a TLDR?
Deleting the post might have been damage control because the disclosure was not responsible. Details are in the project GitHub, but basically it's possible to trick Lemmy into serving injected JavaScript by making a post with a crafted URL.
This could allow a user to compromise the accounts of other users if you can get them to click on your post.
I use "top day" when this happens to me.(jerboa)
Thanks for notifying us!
view more: next ›