ATTENTION LEMMY ADMINS: XSS VULNERABILITY NEEDS PATCHING

Details:
https://lemmy.world/post/1293336

Lemmy.world was hacked and most Lemmy servers are still vulnerable to the exploit:
https://lemmy.world/post/1290412

[posted also to @fediverse]

3 points

@liaizon @fediverse I only joined a few days ago. I suppose this means I have to alter my password?

permalink
report
reply
3 points

The attack shouldn’t have exposed passwords or hashes, only the JWT cookie. The secret on the server has been changed so all old cookies should no longer work.

There is a very small possibility that email address may have been able to be seen if they logged is as you, but they were looking for admin accounts

permalink
report
parent
reply
1 point

Anyone knows what maintainers should do to patch the vulnerability?

permalink
report
parent
reply
2 points

Been patched already in release 0.18.2-rc’s

permalink
report
parent
reply

Hi there! Looks like you linked to a Lemmy community using an URL instead of its name, which doesn’t work well for people on different instances. Try fixing it like this: !fediverse@lemmy.ml

permalink
report
parent
reply
4 points

@sal@mander.xyz we ok?

permalink
report
reply
3 points

Ah, just seeing this: https://mander.xyz/comment/987556

permalink
report
parent
reply
3 points

Yeah, thank you! Only had to sacrifice our custom emojis for now :)

permalink
report
parent
reply
3 points

Waiting on patches to propagate to the container registries.

permalink
report
reply
33 points
*
Deleted by creator
permalink
report
reply
-33 points

@cwagner oh no some admin who didn’t add custom emojos might get alerted that their is a bad bug and not have anything to do!

permalink
report
parent
reply
18 points

It is generally a good practice to be specific when describing vulnerabilities. Further, people tend to just read headlines and we know this. You don’t need to be a snarky jerk when someone points that out. Heaven forbid people learn something, sheesh.

permalink
report
parent
reply
35 points
*
Deleted by creator
permalink
report
parent
reply
16 points

OP was unnecessarily rude to you. I’m waiting for my mod ban for calling them out. This place can’t be that different than reddit.

permalink
report
parent
reply
13 points

This would be more relevant in !lemmy@lemmy.ml, although there’s already a post about it there.

permalink
report
reply
0 points

@mondoman712 lemmy is part of the fediverse so it is relevant

permalink
report
parent
reply
4 points

cross-post it to !lemmy_support@lemmy.ml too.

permalink
report
parent
reply

Fediverse

!fediverse@lemmy.ml

Create post

A community dedicated to fediverse news and discussion.

Fediverse is a portmanteau of “federation” and “universe”.

Getting started on Fediverse;

Community stats

  • 464

    Monthly active users

  • 820

    Posts

  • 12K

    Comments