sunaurus just posted this in the lemmy dev chat:
Reposting from another channel to get this out to as many admins as possible:
Current mitigations:
Remove custom emoji
DELETE FROM custom_emoji_keyword;
DELETE FROM custom_emoji;
Overwrite content with the exploit
UPDATE comment SET content = '<REMOVED BY ADMIN>' WHERE content LIKE '%![" onload%';
UPDATE private_message SET content = '<REMOVED BY ADMIN>' WHERE content LIKE '%![" onload%';
UPDATE post SET body = '<REMOVED BY ADMIN>' WHERE body LIKE '%![" onload%';
UPDATE post SET name = '<REMOVED BY ADMIN>' WHERE name LIKE '%![" onload%';
Rotate your JWT secret (invalidates all current login sessions)
– back up your secret first, just in case
SELECT * FROM secret;
– generate a new secret
UPDATE secret SET jwt_secret = gen_random_uuid();
Probably worth doing
🧶 🧶 🧶 🏩
[test](javascript:onload=“window.location='https://lemmy.nz”)