@woof@fedi.aria.dog these vulnerabilities would not enable impersonation 🥴
Timeline
Post
Remote status
Context
1@sharkey@sharkey.team @woof@fedi.aria.dog what the heck else could it even be that's so serious but DOESN'T enable impersonation? based on the description ("I will update for you if you can't do it when it's fresh"), I would assume it's like, RCE or something. but that enables impersonation (and so many worse things). so I guess this vulnerability is definitely less severe than that
(mostly a rhetorical question. I'm thinking out loud here. don't give us more details until the patch is released lol)
Replies
5
@sodiboo @woof @sharkey i mean last time i heard of a vulnerability that was apparently so bad it came from the akkoma team and it was just somebody being able to scrape an actors outbox and look at public posts without doing the signed fetch dance
wasn't enough to warrant an URGENT security update, hopefully a similar situation isn't happening over here and they're patching like.. an xss problem or something
edited: vulnerability was less severe than what i recalled initially
wasn't enough to warrant an URGENT security update, hopefully a similar situation isn't happening over here and they're patching like.. an xss problem or something
edited: vulnerability was less severe than what i recalled initially
@kirby@freerobuxextremist.com @woof@fedi.aria.dog @sharkey@sharkey.team yeah but like. "it doesn't allow impersonation" basically rules out XSS, no? XSS is full code execution in the client. so it would necessarily allow impersonation of everyone using the web interface. so it's not that. so what the heck else could it be that's still this severe