CVE-2025-59950

Published: Sep 30, 2025Modified: Oct 3, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.3 and below, due to a bypass of double clickjacking protection (confirmation dialog), it is possible to trick the admin into clicking the Promote button in another user's management page after the admin double clicks on a button inside an attacker-controlled website. A successful attack can allow the attacker to promote themselves to "admin" and log into other users' accounts; the attacker has to know the specific instance URL they're targeting. This issue is fixed in version 1.27.0.

Affected (1)

Products: Freshrss: Freshrss

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Freshrss Freshrss	Before 1.27.0

Related CWEs

Improper Restriction of Rendered UI Layers or Frames

The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.

References (4)

https://github.com/FreshRSS/FreshRSS/pull/7771

Source: security-advisories@github.com

Patch

https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0

Source: security-advisories@github.com

Release Notes

https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-j66v-hvqx-5vh3

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-j66v-hvqx-5vh3

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitVendor Advisory

Timeline

No history available yet.