Hi folks,

Last night there was a Lemmy security issue (see: https://lemmy.ml/post/1901079) regarding an XSS exploit affecting custom emoji.

Last night as a precaution dmv.social was taken offline.

To the best of our knowledge it does not appear that this instance was affected as we do not use custom emoji, which sounds like the mechanism this exploit needed.

Comments federated from other instances containing text that looked similar to the XSS exploit were found, however. To my understanding, this alone should not trigger the XSS attack but as a safety precaution this content was removed from the database manually and will continue to be automatically checked and removed every few minutes.

As another safety precaution, all user sessions have been invalidated. You will need to log in again.

An audit of community and instance settings was performed and it appears nothing has been modified.

Update: Yesterday a RC version of Lemmy-UI was installed to mitigate this issue. We’ve now upgraded to the official 0.18.2 release of Lemmy-UI.

  • TheWoozy@dmv.social
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Thanks for addressing this so quickly and thoroughly. I also appreciate the transparency.

    • dmvsocial@dmv.socialOPM
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      No problem! I was getting a bit worried last night and figured others would be interested to know that this was taken fairly seriously, even though this is a much smaller instance compared to many others 🙂