Lemmy has an XSS vulnerability in the Markdown parser (sh.itjust.works) 7 points by hardcopy 3y ago ↗ HN
[–] xyst 3y ago ↗ What a blunder.I think even the worst static code analyzers would have caught this.Looking at the code that was injected by an attacker it seems like they were trying to extract user sessions and exfiltrate it.https://programming.dev/post/532566
[–] urda 3y ago ↗ I found myself asking the same thing: https://news.ycombinator.com/item?id=36662195
2 comments
[ 7.7 ms ] story [ 326 ms ] threadI think even the worst static code analyzers would have caught this.
Looking at the code that was injected by an attacker it seems like they were trying to extract user sessions and exfiltrate it.
https://programming.dev/post/532566