1. There's a bug in pleroma oembed parsing that allows html injection, this is probably the one used for the attack on poast. You need to have rich media (i.e. website previews) enable for that to be dangerous.
2. There's a second exploit that I found first, having to with the CSP settings for /proxy. The nginx snippet i posted fixes that, but it doesn't fix the first issue.
The used exploit might have been a different one altogether, but at least these two can absolutely be used to steal your oauth tokens.
So what you should do in my opinion is to deactivate rich media and add the nginx snippet i posted. If you can, you should also implement alex's suggestion of moving media and proxy to subdomains (see here: https://gleasonator.com/notice/AW3PsTi4WCWEUbN0uO), as this will fix these two issues plus potential additional ones that we don't know of yet.
you should also delete ALL oauth tokens, at least if you have used rich media or media proxy. you can do this by entering `delete from oauth_tokens` in psql.