What is XSS? Cross-site scripting (XSS) is an exploit where the attacker
attaches code onto a legitimate website that will execute when the victim loads
the website. That malicious code can be inserted in several ways. Most
popularly, it is either added to the end of a url or posted directly onto a page
that displays user-generated content. In more technical terms, cross-site
scripting is a client-side code injection attack.
https://www.cloudflare.com/learning/security/threats/cross-site-scripting/
[https://www.cloudflare.com/learning/security/threats/cross-site-scripting/]
Impact One-click Lemmy account compromise by social engineering users to click
your posts URL. Reproduction Lemmy does not properly sanitize URI’s on posts
leading to cross-site scripting. You can see this working in action by clicking
the “link” attached to this post on the web client. To recreate, simply create a
new post with the URL field set to: javascript:alert(1)// Patching Adding
filtering to block javascript: and data: URI’s seems like the easiest approach.
Be careful what posts you click until this is patched.
EDIT: Clarify, this server I expect is also vulnerable, hence the choice of community.
Deleting the post might have been damage control because the disclosure was not responsible. Details are in the project GitHub, but basically it’s possible to trick Lemmy into serving injected JavaScript by making a post with a crafted URL.
This could allow a user to compromise the accounts of other users if you can get them to click on your post.
Hits a 404 now on the link (sh.itjust.works link above), does anyone have a TLDR?
Deleting the post might have been damage control because the disclosure was not responsible. Details are in the project GitHub, but basically it’s possible to trick Lemmy into serving injected JavaScript by making a post with a crafted URL.
This could allow a user to compromise the accounts of other users if you can get them to click on your post.