ATTENTION LEMMY ADMINS: XSS VULNERABILITY NEEDS PATCHING
ATTENTION LEMMY ADMINS: XSS VULNERABILITY NEEDS PATCHING
Details:
https://lemmy.world/post/1293336
Lemmy.world was hacked and most Lemmy servers are still vulnerable to the exploit:
https://lemmy.world/post/1290412
[posted also to @fediverse]
286
Comments37
Hi there! Looks like you linked to a Lemmy community using an URL instead of its name, which doesn't work well for people on different instances. Try fixing it like this: ![email protected]
I love you bot, keep being good.
I posted this from mastodon where you can't link to communities in that way...
Well, in that case ignore it, it at least provides a clickable link for Lemmy users.
Good bot
Good bot.
¡Nay! Great bot
Sensational bot
I thought it was typed "a URL", not " an URL"
Not sure though, dont kill me, English isn't my native language.
They're both acceptable in English. The rule is generally "an" if the following word starts with a vowel. But, it gets a bit tricky with initialisms (like URL) because URL is normally pronounced something like "you-are-ell", and not "earl". So the spelling starts with a vowel, but the pronunciation doesn't. Nobody would fault you for using one or the other in a situation like this.
TIL, I always thought the sound made the law (so a URL but not an URL)
I'm sure some style guide(s) have hard and fast rules but being called out for it in everyday conversation doesn't (shouldn't) happen for something like that. English also isn't French, it doesn't have a regulatory body, and so attempting to pin down certain things as definitively correct or definitively wrong isn't always a reasonable thing to do.
Oh okay thank you :)
It has been fixed, thanks!
@cwagner oh no some admin who didn't add custom emojos might get alerted that their is a bad bug and not have anything to do!
OP was unnecessarily rude to you. I’m waiting for my mod ban for calling them out. This place can’t be that different than reddit.
It is generally a good practice to be specific when describing vulnerabilities. Further, people tend to just read headlines and we know this. You don’t need to be a snarky jerk when someone points that out. Heaven forbid people learn something, sheesh.
This would be more relevant in ![email protected], although there's already a post about it there.
@mondoman712 lemmy is part of the fediverse so it is relevant
cross-post it to ![email protected] too.
@randoom go for it!
You do it. It's your post.
@randoom You do it. It's your desire.
You do it. You should have posted it there.
@randoom Please fuck off
@[email protected] we ok?
Ah, just seeing this: https://mander.xyz/comment/987556
Yeah, thank you! Only had to sacrifice our custom emojis for now :)
@liaizon @fediverse I only joined a few days ago. I suppose this means I have to alter my password?
The attack shouldn't have exposed passwords or hashes, only the JWT cookie. The secret on the server has been changed so all old cookies should no longer work.
There is a very small possibility that email address may have been able to be seen if they logged is as you, but they were looking for admin accounts
Anyone knows what maintainers should do to patch the vulnerability?
Been patched already in release 0.18.2-rc's
Hi there! Looks like you linked to a Lemmy community using an URL instead of its name, which doesn't work well for people on different instances. Try fixing it like this: ![email protected]
Waiting on patches to propagate to the container registries.