(URGENT) Lemmy has an XSS vulnerability in the sidebar - sh.itjust.works - eviltoast
  • Soviet Snake@lemmygrad.ml
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    1 year ago

    Don’t post this kind of things, the less attention the better, communicate with developers in a private way and let them know about vulnerabilities.

    • darkcalling@lemmygrad.ml
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      1 year ago

      It’s being actively exploited in the wild as we speak.

      Private disclosure is only useful and necessary when vulnerabilities are not being actively exploited or if they are exceptionally technically difficult requiring very specific conditions and you are disclosing specifically those conditions which might enable additional exploitation before a fix.

      However, this is a technically simple exploit, disclosing it exists will not enable more attackers.

      It is responsible in situations where something is being actively exploited, it is a simple exploit, etc to discuss, inform, and yes let others who may want to patch themselves have the knowledge needed to patch when devs are asleep or otherwise unable to act expediently.

    • Łumało [he/him]@lemmygrad.mlOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      1 year ago

      I posted it this way because it was already public, even detailing how the vulnerability worked on github, and because I thought of informing as many as possible. I should’ve explicitly stated this, but I hoped this would encourage logging off (we seriously need a log off emoji) and possibly changing your password later to remedy this.