If posted text is not properly “escaped” (meaning possible HTML tags and scripts made non-executable), an attacker can post (“inject”) javascript in a comment which is then loaded and executed on other people’s browsers. It seems that such a method was used to steal log-in cookies from admin’s browsers. The attacker then could log in as the admin and proceed to change stuff in other areas of the site.
Edit: someone posted a screenshot of an app displaying the scipt here: https://lemmy.sdf.org/comment/850269 – the app doesn’t execute JS but displays it as text. That might be the safest way to go atm while malicious comments are spreading over the net.
(From that post we also learn about a fix that came almost immediately, so hopefully this issue is being done with as soon as all vulnerable servers have been updated)
If posted text is not properly “escaped” (meaning possible HTML tags and scripts made non-executable), an attacker can post (“inject”) javascript in a comment which is then loaded and executed on other people’s browsers. It seems that such a method was used to steal log-in cookies from admin’s browsers. The attacker then could log in as the admin and proceed to change stuff in other areas of the site.
Edit: someone posted a screenshot of an app displaying the scipt here: https://lemmy.sdf.org/comment/850269 – the app doesn’t execute JS but displays it as text. That might be the safest way to go atm while malicious comments are spreading over the net.
(From that post we also learn about a fix that came almost immediately, so hopefully this issue is being done with as soon as all vulnerable servers have been updated)