"Initials" by "Florian Körner", licensed under "CC0 1.0". / Remix of the original. - Created with dicebear.comInitialsFlorian Körnerhttps://github.com/dicebear/dicebearSU
Support BlueEther 1y ago 100%

xss fix

sunaurus just posted this in the lemmy dev chat:

Reposting from another channel to get this out to as many admins as possible:

Current mitigations:

Remove custom emoji

DELETE FROM custom_emoji_keyword;
DELETE FROM custom_emoji;

Overwrite content with the exploit

UPDATE comment SET content = '<REMOVED BY ADMIN>' WHERE content LIKE '%![" onload%';
UPDATE private_message SET content = '<REMOVED BY ADMIN>' WHERE content LIKE '%![" onload%';
UPDATE post SET body = '<REMOVED BY ADMIN>' WHERE body LIKE '%![" onload%';
UPDATE post SET name = '<REMOVED BY ADMIN>' WHERE name LIKE '%![" onload%';

Rotate your JWT secret (invalidates all current login sessions)

-- back up your secret first, just in case

SELECT * FROM secret;

-- generate a new secret

UPDATE secret SET jwt_secret = gen_random_uuid();

Probably worth doing

1
0
Comments 0