cross-posted from: https://sh.itjust.works/post/923025

lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

  • Gamingodcat@2dl.euEnglish
    331·
    1 year ago

    This has nothing to do with XSS, it is a simple HTML injection vulnerability, and it can only be exploited by instance admins.

    Also Lemmy.world appears to have been running a custom frontend so it’s hard to say how widespread the affects of this are.

    • TruckBC@lemmy.caMEnglish
      9·
      1 year ago

      You seem to be following the situation closely. Could you please DM me on Matrix?

    • pazukaza@lemmy.mlEnglish
      21·
      1 year ago

      Worst case scenario, they can steal your Lemmy session, right?

      Which isn’t super bad for a service like Lemmy. This isn’t a social network, so most contact list scams would be useless.

      Edit: just read the targets were admins. That IS bad.

        • pazukaza@lemmy.mlEnglish
          3·
          1 year ago

          I mean, not in the traditional sense. You don’t have your family and friends as Lemmy contacts and share posts with them. It’s more anonymous.