Hi folks,

Last night there was a Lemmy security issue (see: https://lemmy.ml/post/1901079) regarding an XSS exploit affecting custom emoji.

Last night as a precaution dmv.social was taken offline.

To the best of our knowledge it does not appear that this instance was affected as we do not use custom emoji, which sounds like the mechanism this exploit needed.

Comments federated from other instances containing text that looked similar to the XSS exploit were found, however. To my understanding, this alone should not trigger the XSS attack but as a safety precaution this content was removed from the database manually and will continue to be automatically checked and removed every few minutes.

As another safety precaution, all user sessions have been invalidated. You will need to log in again.

An audit of community and instance settings was performed and it appears nothing has been modified.

Update: Yesterday a RC version of Lemmy-UI was installed to mitigate this issue. We’ve now upgraded to the official 0.18.2 release of Lemmy-UI.