First things first, this instance has not been affected by the cross-site scripting exploit that has impacted a few of the larger instances - just wanted to quell any potential sources of panic.
TL;DR for the rest of the post - we’re not impacted by this issue, but just as an added precaution everyone has been signed out and you’ll need to sign back in.
This exploit appears to be coming from Lemmy’s Markdown parser when handling custom emojis - we do not have any here. Custom emojis from remote/federated instances do not seem to trigger the issue either.
That being said, since this exploit was using custom emojis as a way of hijacking gathering JWTs to then be able to login on behalf of others, I’ve force expired all login sessions across the instance as an added precaution. This impacts both the standard web interface, and any mobile/third party apps that use the Lemmy API.
If you’re reading this after logging back in, you’re good to go - some mobile apps may not properly notify you however that you’re not logged in since not all API actions require authentication (for example, the API wouldn’t require auth to access this post) and thus may not re-prompt you.
I’d recommend just logging out of any mobile apps you were signed into, and then log back in, which will generate a new token and prevent you from getting not_logged_in
errors when you do finally try to perform an action that requires authentication (such as viewing your inbox, or casting votes).
Additionally, as of the time of current writing, Beehaw is offline from their end so if you’re subscribed to any of their communities you won’t see updates from that community at all (in terms of new comments, posts, votes, etc) until they come back online - any content that our instance already knows about of course is still available, but if you try to reply to one your comment won’t be visible on their side.
I’ll be watching the various instance admin groups for updates on this issue, and I see there is already a pull request opened against Lemmy-UI (the frontend for Lemmy) to fix the root issue. As soon as a release is provided with the patch I’ll do another immediate upgrade to as well.
If anyone has any questions, please don’t hesitate to let me know - apologies if you’re like me and have 7 different Lemmy apps downloaded that need to all be re-signed into 😅