CVE-2022-23497

Name of the Vulnerable Software and Affected Versions FreshRSS versions prior to 1.20.2

Description FreshRSS is a free, self-hostable RSS aggregator. User configuration files can be accessed by a remote user. In addition to user preferences, such configurations contain hashed passwords of the FreshRSS Web interface. If the API is used, the configuration might contain a hashed password of the GReader API, and a hashed password of the Fever API.

Recommendations For versions prior to 1.20.2, update to version 1.20.2 or edge. For users unable to upgrade, apply the patch manually or delete the file ./FreshRSS/p/ext.php.