ATTENTION LEMMY ADMINS: XSS VULNERABILITY NEEDS PATCHING
Details:
https://lemmy.world/post/1293336
Lemmy.world was hacked and most Lemmy servers are still vulnerable to the exploit:
https://lemmy.world/post/1290412
[posted also to @fediverse]
This would be more relevant in !lemmy@lemmy.ml, although there’s already a post about it there.
@mondoman712 lemmy is part of the fediverse so it is relevant
cross-post it to !lemmy_support@lemmy.ml too.
@randoom go for it!
You do it. It’s your post.
@randoom You do it. It's your desire.
You do it. You should have posted it there.
@randoom Please fuck off
I wasn’t being disrespectful. And thank you, it’s always fun to argue with a total stranger.
@liaizon is just not a very kind or reasonable person. It’s not you, it’s them.
@MaybeItWorks lol fuck off
Should really have “If you added custom emojis” somewhere ;)
@cwagner oh no some admin who didn't add custom emojos might get alerted that their is a bad bug and not have anything to do!
Sorry for suggesting how your post can become more informative, I’ll make sure to avoid doing such things in the future.
OP was unnecessarily rude to you. I’m waiting for my mod ban for calling them out. This place can’t be that different than reddit.
It is generally a good practice to be specific when describing vulnerabilities. Further, people tend to just read headlines and we know this. You don’t need to be a snarky jerk when someone points that out. Heaven forbid people learn something, sheesh.
@MaybeItWorks I responded snarky and I agree that isn't helpful either. it was the third reply I had gotten criticizing this post which set me off a bit. Maybe the people responding were just trying to be helpful but so was I so we I guess we all need to take a look at our own responses mechanisms
Waiting on patches to propagate to the container registries.
@sal@mander.xyz we ok?
Yeah, thank you! Only had to sacrifice our custom emojis for now :)
@liaizon ih dear. JWT & emojiis.
@liaizon @fediverse I only joined a few days ago. I suppose this means I have to alter my password?
The attack shouldn’t have exposed passwords or hashes, only the JWT cookie. The secret on the server has been changed so all old cookies should no longer work.
There is a very small possibility that email address may have been able to be seen if they logged is as you, but they were looking for admin accounts
Anyone knows what maintainers should do to patch the vulnerability?
Been patched already in release 0.18.2-rc’s