CVE-2022-23497

Published: Dec 9, 2022Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

FreshRSS is a free, self-hostable RSS aggregator. User configuration files can be accessed by a remote user. In addition to user preferences, such configurations contain hashed passwords (brypt with cost 9, salted) of FreshRSS Web interface. If the API is used, the configuration might contain a hashed password (brypt with cost 9, salted) of the GReader API, and a hashed password (MD5 salted) of the Fever API. Users should update to version 1.20.2 or edge. Users unable to upgrade can apply the patch manually or delete the file `./FreshRSS/p/ext.php`.

Affected (1)

Products: Freshrss: Freshrss

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Freshrss Freshrss	From 1.18.0 to 1.20.2

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (6)

https://github.com/FreshRSS/FreshRSS/pull/4928

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/FreshRSS/FreshRSS/releases/tag/1.20.2

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-hvrj-5fwj-p7v6

Source: security-advisories@github.com

Third Party Advisory

https://github.com/FreshRSS/FreshRSS/pull/4928

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/FreshRSS/FreshRSS/releases/tag/1.20.2

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-hvrj-5fwj-p7v6

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.