Inverle

**Name of the Vulnerable Software and Affected Versions** FreshRSS versions 1.27.0 through 1.27.9 **Description** An attacker could disrupt access to RSS feeds for all users of an instance by manipulating the proxy settings to send a large number of 429 Retry-After requests. This denial of service makes the application unusable for most users. **Recommendations** Update to version 1.28.0 or later.

**Name of the Vulnerable Software and Affected Versions** FreshRSS versions prior to 1.27.1 **Description** FreshRSS is a free, self-hostable RSS aggregator. Versions before 1.27.1 contain a cross-site request forgery flaw related to the logout function. Successful exploitation of this flaw can result in a denial of service through the `<track src>` attribute. **Recommendations** Update to version 1.27.1 or later.

**Name of the Vulnerable Software and Affected Versions** FreshRSS versions 1.26.3 and below **Description** FreshRSS, a self-hostable RSS aggregator, discloses information about feeds and tags belonging to default admin users. This is due to missing access controls within the `FreshRSS Auth::hasAccess()` function, which is utilized by certain tag and feed-related endpoints. Specifically, some FreshRSS controllers lack a defined `firstAction()` method or manual access checks, leading to unauthorized information exposure. The issue is addressed in version 1.27.0. **Recommendations** Update to version 1.27.0 or later.

**Name of the Vulnerable Software and Affected Versions** FreshRSS versions 1.16.0 through 1.26.3 **Description** FreshRSS is a free, self-hostable RSS aggregator. An unprivileged attacker can create a new administrator user when registration is enabled. This is achieved through manipulation of a hidden field, `new user is admin`, used on the user management admin page. The field allows an attacker to set the `new user is admin` parameter to '1' during registration, granting them administrative privileges. **Recommendations** Update to version 1.27.0 or later.

**Name of the Vulnerable Software and Affected Versions** FreshRSS versions 1.26.3 and below **Description** FreshRSS is a free, self-hostable RSS aggregator susceptible to a flaw where a crafted page can mislead a user into executing arbitrary JavaScript code or elevating privileges within FreshRSS. This is achieved by concealing UI elements within iframes. If embedding an authenticated iframe is possible, it could lead to privilege escalation by obscuring the promote user button in the admin UI, or cross-site scripting (XSS) by deceiving the user into dragging content into the UserJS text area. **Recommendations** Update to version 1.27.0 or later.

**Name of the Vulnerable Software and Affected Versions** FreshRSS versions 1.26.3 and below **Description** FreshRSS does not properly sanitize event handler attributes within feed content. This can lead to cross-site scripting (XSS) if a page renders feed entries without a Content Security Policy (CSP). The Allow API access authentication setting must be enabled for exploitation. An attacker can potentially take over an account by sending a change password request, setting UserJS for persistence, stealing autofill passwords, or displaying a phishing page. If the victim is an administrator, administrative actions are also possible. The attack utilizes the `/api/query.php` endpoint. **Recommendations** Update to version 1.27.0 or later.

**Name of the Vulnerable Software and Affected Versions** FreshRSS versions 1.26.3 and below **Description** FreshRSS is susceptible to directory enumeration. By manipulating the `theme` field with a specific path, an attacker can determine the existence of directories on the server, potentially gaining additional information. **Recommendations** Update to version 1.27.0 or later.

**Name of the Vulnerable Software and Affected Versions** FreshRSS versions 1.26.3 and below **Description** FreshRSS is susceptible to a double clickjacking protection bypass. An attacker can trick an administrator into promoting themselves to "admin" and logging into other users' accounts. This is achieved by exploiting a flaw in the confirmation dialog, requiring knowledge of the specific instance URL. A successful attack requires the administrator to double-click on a button within an attacker-controlled website. **Recommendations** Update to version 1.27.0 or later.

**Name of the Vulnerable Software and Affected Versions** FreshRSS versions 1.26.1 and below **Description** FreshRSS is a free, self-hostable RSS aggregator. An authenticated administrator user can execute arbitrary code on the FreshRSS server by modifying the update URL to one they control, and gain code execution after running an update. Successful code execution can lead to the exfiltration of user data, including hashed passwords, and potential defacement of the instance. Malicious code can be inserted to steal plaintext passwords. **Recommendations** Update to version 1.26.2 or later.

**Name of the Vulnerable Software and Affected Versions** FreshRSS versions prior to 1.26.2 **Description** A vulnerability in FreshRSS, a self-hosted RSS feed aggregator, causes a user to be repeatedly logged out after fetching a malicious feed entry, effectively resulting in denial of service. **Recommendations** For versions prior to 1.26.2, update to version 1.26.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** FreshRSS versions prior to 1.26.2 **Description** The issue is related to improper HTML sanitization inside the `<iframe srcdoc>` attribute, leading to cross-site scripting (XSS) by loading an attacker's UserJS inside `<script src>`. To execute the attack, the attacker needs to control one of the victim's feeds and have an account on the FreshRSS instance that the victim is using. This could allow an attacker to gain access to the victim's account. If the victim is an admin, it would be possible to delete all users or execute arbitrary code on the server by modifying the update URL using `fetch()` via the XSS. **Recommendations** For versions prior to 1.26.2, update to version 1.26.2 to resolve the issue. As a temporary workaround, consider restricting access to the `<iframe srcdoc>` attribute or disabling the use of UserJS inside `<script src>` until the patch is applied. Restricting feed control and account access can also minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FreshRSS versions prior to 1.26.2 **Description** The issue allows an attacker to run arbitrary JavaScript on the feeds page by combining a cross-site scripting (XSS) issue in `f.php` with the lack of Content Security Policy (CSP) when SVG favicons are downloaded from an attacker-controlled feed. This can be achieved by embedding a malicious favicon in an iframe with specific attributes. The attacker needs to control one of the feeds that the victim is subscribed to and have an account on the FreshRSS instance. The vulnerability can be exploited in two ways, one requiring user interaction and the other firing instantly after the user adds the feed or logs into the account. This can lead to the attacker gaining access to the victim's account, and if the victim is an admin, it could result in damage such as deleting all users or executing arbitrary code on the server. **Recommendations** For versions prior to 1.26.2, update to version 1.26.2 to resolve the issue. As a temporary workaround, consider restricting access to the `f.php` file or disabling the lazy image loading functionality until the update is applied. Additionally, restrict the use of iframes with the `sandbox="allow-scripts allow-same-origin"` attribute to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FreshRSS versions prior to 1.26.2 **Description** FreshRSS is a self-hosted RSS feed aggregator. When the server is using HTTP auth via reverse proxy, it's possible to impersonate any user either via the `Remote-User` header or the `X-WebAuth-User` header by making specially crafted requests via the add feed functionality and obtaining the CSRF token via XPath scraping. The attacker has to know the IP address of the proxied FreshRSS instance and the admin's username, while also having an account on the instance. This can lead to unauthorized access to internal services and potentially privilege escalation, although users that have setup OIDC are not affected by privilege escalation. **Recommendations** For versions prior to 1.26.2, update to version 1.26.2 to resolve the issue. As a temporary workaround, consider restricting access to the add feed functionality and limiting the use of HTTP auth via reverse proxy until the patch is applied. Additionally, restrict the `Remote-User` and `X-WebAuth-User` headers to prevent header manipulation.

**Name of the Vulnerable Software and Affected Versions** FreshRSS versions prior to 1.26.2 **Description** FreshRSS is a self-hosted RSS feed aggregator. An attacker can gain additional information about the server by checking if certain directories exist, potentially discovering older PHP versions or installed software. This information could be used to further attack the server. **Recommendations** For versions prior to 1.26.2, update to version 1.26.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** FreshRSS versions prior to 1.26.2 **Description** The issue allows an attacker to poison feed favicons by manipulating the feed URL and proxy settings, potentially replacing favicons for all users. This is possible because the favicon hash computation does not include the proxy address, proxy protocol, and SSL verification settings. An attacker can intercept the feed response and change the website URL to a controlled feed favicon. **Recommendations** For versions prior to 1.26.2, update to version 1.26.2 to resolve the issue. As a temporary workaround, consider restricting access to the proxy settings and ensuring SSL verification is enabled for all feeds. Avoid using the proxy feature with untrusted feeds until the issue is resolved.