Be careful what posts you click until this is patched.

EDIT: Clarify, this server I expect is also vulnerable, hence the choice of community.

    • henfredemars@infosec.pubOP
      link
      fedilink
      English
      arrow-up
      8
      ·
      edit-2
      1 year ago

      Deleting the post might have been damage control because the disclosure was not responsible. Details are in the project GitHub, but basically it’s possible to trick Lemmy into serving injected JavaScript by making a post with a crafted URL.

      This could allow a user to compromise the accounts of other users if you can get them to click on your post.