Hello, your site is vulnerable to XSS from the profile about form.
| Author | Topic |
|---|---|
|
div
|
Posted 2023-07-12 23:59:22
Observe. I am sorry to inform you of this publicly. Feel free to delete this message. <img src="x" onerror="window.location.href = 'https://divsel.neocities.org'" /> In the mean time, if you're a user who is interested in mitigating this problem, you can use NoScript Suite to mark JS from this domain as untrusted. Last edited on 2023-07-13 00:17:44 |
|
hazel
|
Posted 2025-04-16 10:02:30
Bump! This still happens. |
|
cyanide
|
Posted 2025-04-23 19:20:27
Yep, there's an XSS worm going around right now. I'm using the NoScript Suite for now to block it as suggested by div, but it also means that statuscafe widgets are disabled on external websites which is really annoying.  
|
|
misa
|
Posted 2025-05-01 18:30:25
Is there no fix for this yet besides using NoScript? It's still going around. |
|
cherryghost
|
Posted 2025-05-20 04:59:24
AGREED, this is still VERY MUCH happening. I noticed this today and thought I was going crazy. @@; I’m hoping we don’t have to be worried about something happening to our account, but hopefully this can get looked at at some point. The only other workaround I can think of is removing all the content from the profile section entirely, but that seems extreme and I’d rather save it for a last resort.
Enigmatic being, creechur from the fog, if you will.
|
|
usahana
|
Posted 2025-05-21 06:07:53
just got wormed :-p does this not put all of status.cafe users in danger? why has this not fixed yet or at least addressed? X_X 
|
|
jbcarreon123
|
Posted 2025-05-21 08:41:17
This is still happening. For now to mitigate this, disable JS on status.cafe user profiles entirely. This is a thing for uBlock Origin users (put it on your custom filter lists): ||*status.cafe/users/*$csp=script-src 'none' That will just disable scripts on status.cafe user profiles but it wouldn't block status.cafe widgets. To test it, I put a simple thing on my profile that if you click it it would just send an alert and redirect you here. If it's blocked successfully it should not show an alert but it should redirect you here. Last edited on 2025-05-21 10:25:43  - he/him/they/them - https://jbcarreon123.nekoweb.org
|
|
drfredofficial
|
Posted 2025-05-22 13:47:09
Unsure how an XSS worm works but I do suggest adopting jbcarreon123's temporary solution. The only thing you're missing out on with it is some custom scripts on profiles, and a vast majority of profiles don't use those lol. Like getting free medicine but you have to trade a single spoon for it; insignificant consequence
he/him
https://drfred.nekoweb.org
|
|
midousuji
|
Posted 2025-06-06 18:04:22
this just happened to me as well. haven't seen it talked about anywhere outside of here, one neocities comment, and one pillowfort comment. is there any way to actually get rid of it? makes me not want to use status cafe because of this vulnerability! thank you jbcarreon123 for the temporary fix! i don't know how to personally apply it because i only have ublock origin lite but hopefully it can help some others! Last edited on 2025-06-06 18:13:49 |
