173

(URGENT) Lemmy has an XSS vulnerability in the sidebar

posted
by
Avatar
AlternateRoute@lemmy.ca
in
Avatar
main@lemmy.ca
43 comments
hidereport

cross-posted from: https://sh.itjust.works/post/923025

lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

Sort:
HotTopControversialNewOld
You are viewing a single thread.
View all comments
Avatar
mr47@kbin.social
7 points

I mean, if it’s something that’s editable only by admins of the instance, I’m not sure it constitutes a vulnerability, since admins can change the content to whatever they desire by definition.

permalink
report
reply
Avatar
AlternateRoute@lemmy.caOP
5 points

Wasn’t clear till further people commented that it was something only and admin could do. So I agree.

permalink
report
parent
reply
Avatar
TruckBC@lemmy.caM
6 points

We have yet to confirm if a vulnerability exists in the sidebars that can be set by community mods.

permalink
report
parent
reply
Avatar
Uncle@lemmy.ca
2 points

can you temporally take away the ability for mods to put html or any kinda script into the sidebar, at least for now?

permalink
report
parent
reply
Show more comments

Lemmy.ca's Main Community

!main@lemmy.ca

Create post

Welcome to lemmy.ca’s c/main!

Since everyone on lemmy.ca gets subscribed here, this is the place to chat about the goings on at lemmy.ca, support-type items, suggestions, etc.

Announcements can be found at https://lemmy.ca/c/meta

For support related to this instance, use https://lemmy.ca/c/lemmy_ca_support

Community stats

  • 89

    Monthly active users

  • 188

    Posts

  • 2.2K

    Comments

Community moderators