I have not seen any notice as to how either usera or admins should mitigate the problem so far. Obviously, admins should update once a new release is out, but beyond that...

From an end-user standpoint, I would guess -- I have not looked at the code and have not been working on the security hole -- the following:

• This basically allows the attacker to masquerade as a currently-logged-in user who has viewed their link.

• Viewing content on a lemmy server while logged in as an admin right now is probably a particularly bad idea.

• I don't know what the full impact is for a regular user account, but it's probably possible for at minimum posts to be deleted, and posts to be made as someone. In kbin, my account shows my email address, so if lemmy does the same, it would be possible to link an email account used for regiatration wirh a username.

• Viewing content while not logged in is probably safe. If I were going to be viewing content on lemmy servers right now, and okay with being limited to lurking, I might do that for a few days until the issue ia reaolved and lemmy servers update.

• I don't know if kbin is vulnerable. It didn't accept the URL given in the bug as an example of a malicious URL when I tested submitting one, but it's possible that it trusts URLs coming from federated servers, which I did not check.