Lucene search

K
cve[email protected]CVE-2022-23497
HistoryDec 09, 2022 - 11:15 p.m.

CVE-2022-23497

2022-12-0923:15:11
CWE-200
web.nvd.nist.gov
33
freshrss
rss aggregator
cve-2022-23497
security vulnerability
remote access
user configuration
api
manual patch
version 1.20.2

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.003 Low

EPSS

Percentile

66.1%

FreshRSS is a free, self-hostable RSS aggregator. User configuration files can be accessed by a remote user. In addition to user preferences, such configurations contain hashed passwords (brypt with cost 9, salted) of FreshRSS Web interface. If the API is used, the configuration might contain a hashed password (brypt with cost 9, salted) of the GReader API, and a hashed password (MD5 salted) of the Fever API. Users should update to version 1.20.2 or edge. Users unable to upgrade can apply the patch manually or delete the file ./FreshRSS/p/ext.php.

Affected configurations

Vulners
NVD
Node
freshrssfreshrssRange1.18.01.20.2
VendorProductVersionCPE
freshrssfreshrss*cpe:2.3:a:freshrss:freshrss:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "FreshRSS",
    "product": "FreshRSS",
    "versions": [
      {
        "version": ">= 1.18.0, < 1.20.2",
        "status": "affected"
      }
    ]
  }
]

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.003 Low

EPSS

Percentile

66.1%

Related for CVE-2022-23497