Lemmy.ca
  • Communities
  • Create Post
  • Create Community
  • heart
    Support Lemmy
  • search
    Search
  • Login
  • Sign Up
Casiraghi@feddit.it to Caffè Italia@feddit.it · 2 years ago

C'è una vulnerabilità in corso su lemmy, impatta anche feddit?

sh.itjust.works

external-link
message-square
0
link
fedilink
  • cross-posted to:
  • [email protected]
  • [email protected]
  • [email protected]
  • [email protected]
1
external-link

C'è una vulnerabilità in corso su lemmy, impatta anche feddit?

sh.itjust.works

Casiraghi@feddit.it to Caffè Italia@feddit.it · 2 years ago
message-square
0
link
fedilink
  • cross-posted to:
  • [email protected]
  • [email protected]
  • [email protected]
  • [email protected]
(URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field - sh.itjust.works
sh.itjust.works
external-link
# DO NOT OPEN THE “LEGAL” PAGE — lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar. It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars. [https://sh.itjust.works/pictrs/image/707c0f16-3d5c-4888-b865-34228d968ee6.png] EDIT: the exploit is also in the tagline that appears on top of the main feed for status updates, like the following one for SDF Chatter: [https://sh.itjust.works/pictrs/image/2dc8838f-4611-4b62-92d2-ab45d7b1c560.png] [https://sh.itjust.works/pictrs/image/9195ec9c-166e-4190-a991-26d218089602.png] EDIT 2: The legal information field also has that exploit, so that when you go to the “Legal” page it shows the HTML unescaped, but fortunately (for now) he’s using double-quotes. "legal_information":" ![\" onload=\"if(localStorage.getItem(`h`) != `true`){document.body.innerHTML = `\u003Ch1\u003ESite has been seized by Reddit for copyright infringment\u003C\u002Fh1\u003E`; setTimeout(() =\u003E {window.location.href = `https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F7aa772b7-9416-45d1-805b-36ec21be9f66.mp4`}, 10000)}\"](https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F66ca36df-4ada-47b3-9169-01870d8fb0ac.png \"lw\")
alert-triangle
You must log in or # to comment.

Caffè Italia@feddit.it

caffeitalia@feddit.it

Subscribe from Remote Instance

Create a post
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: [email protected]

Caffé italia è la community dove poter parlar di tutto quello che non ha una community specifica in feddit.it

Visibility: Public
globe

This community can be federated to other instances and be posted/commented in by their users.

  • 1 user / day
  • 5 users / week
  • 14 users / month
  • 126 users / 6 months
  • 3 local subscribers
  • 787 subscribers
  • 315 Posts
  • 609 Comments
  • Modlog
  • mods:
  • kentaromiura@feddit.it
  • skariko@feddit.it
  • BE: 0.19.12
  • Modlog
  • Legal
  • Instances
  • Docs
  • Code
  • join-lemmy.org