nostr:npub1ysufjjd485tftr4wy2a83fqyqvtfq0yn820gl8vl6hcsdz8uv2hskx2jyl how this can be exploited?
#Pleroma Security Release 2.5.4
Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitrary files from the server's filesystem.
https://pleroma.social/announcements/2023/08/05/pleroma-security-release-2.5.4/
Discussion
@pomstan@xn–p1abe3d.xn–80asehdb /api/v1/pleroma/remote_interaction (public) is a known way.
And I’m not a full-disclosure-on-day0 person so if you want exploit details it’ll have to wait until I can be reasonably sure people have their software fixed.