CVE-2022-23497— FreshRSS 信息泄露漏洞

Insecure file access in FreshRSS

FreshRSS is a free, self-hostable RSS aggregator. User configuration files can be accessed by a remote user. In addition to user preferences, such configurations contain hashed passwords (brypt with cost 9, salted) of FreshRSS Web interface. If the API is used, the configuration might contain a hashed password (brypt with cost 9, salted) of the GReader API, and a hashed password (MD5 salted) of the Fever API. Users should update to version 1.20.2 or edge. Users unable to upgrade can apply the patch manually or delete the file `./FreshRSS/p/ext.php`.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

信息暴露

FreshRSS 信息泄露漏洞

FreshRSS是FreshRSS开源的一个免费的、可自行托管的 RSS 聚合器。 FreshRSS 1.20.2之前版本存在信息泄露漏洞，该漏洞源于远程用户可以访问用户配置文件，此类配置包含Web界面的散列密码，如果使用 API，配置可能包含GReader API的哈希密码和Fever API的哈希密码。

N/A

N/A