cross-posted from: https://sh.itjust.works/post/923025
lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.
It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.
You must log in or register to comment.
I just saw this on my feed. It’s above my pay grade, but seemed urgent enough to cross post here
More info here:
I applied the mitigations and unvalidated all login tokens.
As far as I can tell slrpnk.net was not directly effected though.