Hey all,
As others mentioned we did not have custom emojis so we were not affected by this particular attack. I have since upgraded our UI to 0.18.2-rc.1 which mitigates this XSS vulnerability.
Hey, thanks Dude for your reply! I’m glad to hear this instance isn’t affected and y’all already pushed a fix. Thanks for all you do.
Good to know and a strong argument for not jumping to implement brand-new features (let the others be testers haha)
I love that you chose TheDude for your account name as the admin of this instance. It just fits so well
The Dude abides.
Edit: TheDude@sh.itjust.works instead of “buy me a coffee”, it should be “buy me a White Russian”
sh.itjust.works doesn’t have custom emojis and so is fairly safe from this specific exploit. Only local users of instances with custom emojis were at risk if they had visited a malicious page on their home instance.
Lemmy-ui pushed a fix for this vulnerability just 8 minutes ago, so we’ll see if that makes it here.
Thanks for the heads up!
2fa could be bypassed. Didn’t matter.
All instances were equally vulnerable. But not all were targeted.
Theres been advice on mitigations to prevent this particular vulnerability. If your instance has implemented them, shouldn’t be a problem.
A UI fix should be pushed shortly.
Home of the sh.itjust.works instance.
