Discussions related to Infosec.pub

1136 readers

1 users here now

founded 2 years ago

MODERATORS

[email protected]

Lemmy Security Vulnerability: XSS In the Wild (sh.itjust.works)

submitted 2 years ago* (last edited 2 years ago) by [email protected] to c/[email protected]

9 comments fedilink hide all child comments

Be careful what posts you click until this is patched.

EDIT: Clarify, this server I expect is also vulnerable, hence the choice of community.

top 6 comments

sorted by: hot top controversial new old

[–] [email protected] 3 points 2 years ago

Looks like there are other potential vulnerabilities which makes this issue worse. Possibly CSRF? https://github.com/LemmyNet/lemmy/issues/3505

[–] [email protected] 2 points 2 years ago (1 children)

Hits a 404 now on the link (sh.itjust.works link above), does anyone have a TLDR?

[–] [email protected] 7 points 2 years ago* (last edited 2 years ago)

Deleting the post might have been damage control because the disclosure was not responsible. Details are in the project GitHub, but basically it's possible to trick Lemmy into serving injected JavaScript by making a post with a crafted URL.

This could allow a user to compromise the accounts of other users if you can get them to click on your post.

[–] Vashtea 1 points 2 years ago

I use "top day" when this happens to me.(jerboa)

[–] [email protected] 1 points 2 years ago

Thanks for notifying us!

load more comments