• Max-P
    link
    fedilink
    English
    201 year ago

    GitHub PR fixing the bug: https://github.com/LemmyNet/lemmy-ui/pull/1897/files

    If your instance has custom emojis defined, this is exploitable everywhere Markdown is available. It is NOT restricted to admins, but can be used to steal an admin’s JWT, which then lets the attacker get into that admin’s account which can then spread the exploit further by putting it somewhere where it’s rendered on every single page and then deface the site.

    If your instance doesn’t have any custom emojis, you are safe, the exploit requires custom emojis to trigger the bad code branch.

    • Kayn
      link
      fedilink
      English
      41 year ago

      But won’t custom emojis from remote instances still trigger the exploit?

      • @ruk_n_rul
        link
        English
        -11 year ago

        Apparently the custom emojis are rendered as static images when federated to outside instances so it’s clean.