this post was submitted on 06 Jul 2023
20 points (95.5% liked)

Discussions related to Infosec.pub

1121 readers
2 users here now

founded 1 year ago
MODERATORS
[email protected]
20
Lemmy Security Vulnerability: XSS In the Wild (sh.itjust.works)
submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]
8 comments fedilink hide all child comments
 

Be careful what posts you click until this is patched.

EDIT: Clarify, this server I expect is also vulnerable, hence the choice of community.

you are viewing a single comment's thread
view the rest of the comments
[โ€“] [email protected] 4 points 1 year ago (1 children)

Hits a 404 now on the link (sh.itjust.works link above), does anyone have a TLDR?

[โ€“] [email protected] 8 points 1 year ago* (last edited 1 year ago)

Deleting the post might have been damage control because the disclosure was not responsible. Details are in the project GitHub, but basically it's possible to trick Lemmy into serving injected JavaScript by making a post with a crafted URL.

This could allow a user to compromise the accounts of other users if you can get them to click on your post.