This commit is contained in:
Nutomic 2023-07-11 11:02:06 +02:00 committed by GitHub
parent 95c248e35a
commit 0654ff7bb4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -6,7 +6,7 @@ Lemmy is a self-hosted social link aggregation and discussion platform. It is co
## Major Changes ## Major Changes
This is an emergency release to fix the cross-site scripting vulnerability that was exploited earlier today. The attack used a bug in custom emoji code in order to exfiltrate admin login tokens. This release fixes the bug. Additionally it disallows inline Javascript using [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP). This should ensure that XSS vulnerabilities are impossible from now on. This is an emergency release to fix the cross-site scripting vulnerability that was exploited yesterday. The attack used a bug in custom emoji code in order to exfiltrate admin login tokens. This release fixes the bug. Additionally it disallows inline Javascript using [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP). This should ensure that XSS vulnerabilities are impossible from now on.
Special thanks to @makotech222 and @sunaruas for these fixes. Special thanks to @makotech222 and @sunaruas for these fixes.