this post was submitted on 10 Jul 2023
287 points (97.7% liked)

Fediverse

17788 readers
3 users here now

A community dedicated to fediverse news and discussion.

Fediverse is a portmanteau of "federation" and "universe".

Getting started on Fediverse;

founded 5 years ago
MODERATORS
 

ATTENTION LEMMY ADMINS: XSS VULNERABILITY NEEDS PATCHING

Details:
https://lemmy.world/post/1293336

Lemmy.world was hacked and most Lemmy servers are still vulnerable to the exploit:
https://lemmy.world/post/1290412

[posted also to @fediverse]

top 37 comments
sorted by: hot top controversial new old
[–] [email protected] 83 points 1 year ago (6 children)

Hi there! Looks like you linked to a Lemmy community using an URL instead of its name, which doesn't work well for people on different instances. Try fixing it like this: [email protected]

[–] [email protected] 19 points 1 year ago

I love you bot, keep being good.

[–] [email protected] 13 points 1 year ago (1 children)

I posted this from mastodon where you can't link to communities in that way...

[–] [email protected] 1 points 1 year ago

Well, in that case ignore it, it at least provides a clickable link for Lemmy users.

[–] [email protected] 9 points 1 year ago
[–] [email protected] 3 points 1 year ago

Good bot.

¡Nay! Great bot

[–] [email protected] 2 points 1 year ago

Sensational bot

[–] [email protected] 2 points 1 year ago (2 children)

I thought it was typed "a URL", not " an URL"

Not sure though, dont kill me, English isn't my native language.

[–] [email protected] 8 points 1 year ago (2 children)

They're both acceptable in English. The rule is generally "an" if the following word starts with a vowel. But, it gets a bit tricky with initialisms (like URL) because URL is normally pronounced something like "you-are-ell", and not "earl". So the spelling starts with a vowel, but the pronunciation doesn't. Nobody would fault you for using one or the other in a situation like this.

[–] [email protected] 3 points 1 year ago (1 children)

TIL, I always thought the sound made the law (so a URL but not an URL)

[–] [email protected] 2 points 1 year ago

I'm sure some style guide(s) have hard and fast rules but being called out for it in everyday conversation doesn't (shouldn't) happen for something like that. English also isn't French, it doesn't have a regulatory body, and so attempting to pin down certain things as definitively correct or definitively wrong isn't always a reasonable thing to do.

[–] [email protected] 1 points 1 year ago

Oh okay thank you :)

[–] [email protected] 2 points 1 year ago

It has been fixed, thanks!

[–] [email protected] 13 points 1 year ago (1 children)

This would be more relevant in [email protected], although there's already a post about it there.

[–] [email protected] 0 points 1 year ago (1 children)

@mondoman712 lemmy is part of the fediverse so it is relevant

[–] [email protected] 4 points 1 year ago (1 children)
[–] [email protected] -1 points 1 year ago (1 children)
[–] [email protected] -5 points 1 year ago (1 children)

You do it. It's your post.

[–] [email protected] 6 points 1 year ago (1 children)
[–] [email protected] 4 points 1 year ago (1 children)
[–] [email protected] 3 points 1 year ago (1 children)
[–] [email protected] 3 points 1 year ago

Yeah, thank you! Only had to sacrifice our custom emojis for now :)

[–] [email protected] 3 points 1 year ago

Waiting on patches to propagate to the container registries.

[–] [email protected] 3 points 1 year ago (2 children)

@liaizon @fediverse I only joined a few days ago. I suppose this means I have to alter my password?

[–] [email protected] 3 points 1 year ago (1 children)

The attack shouldn't have exposed passwords or hashes, only the JWT cookie. The secret on the server has been changed so all old cookies should no longer work.

There is a very small possibility that email address may have been able to be seen if they logged is as you, but they were looking for admin accounts

[–] [email protected] 1 points 1 year ago (1 children)

Anyone knows what maintainers should do to patch the vulnerability?

[–] [email protected] 2 points 1 year ago

Been patched already in release 0.18.2-rc's

[–] [email protected] 1 points 1 year ago

Hi there! Looks like you linked to a Lemmy community using an URL instead of its name, which doesn't work well for people on different instances. Try fixing it like this: [email protected]