CVE-2023-22481

🗓️ 06 Mar 2023 17:33:03Reported by GitHub_MType

cve🔗 web.nvd.nist.gov👁 46 Views🌐 WEB

CVE-2023-22481: FreshRSS greader API logs passwords in clear tex

Reporter	Title	Published	Views	Family All 9
Circl	CVE-2023-22481	6 Mar 202320:12	–	circl
CNNVD	FreshRSS 日志信息泄露漏洞	6 Mar 202300:00	–	cnnvd
Cvelist	CVE-2023-22481 Sensitive information exposure in the logs of greader API in FreshRSS	6 Mar 202317:33	–	cvelist
EUVD	EUVD-2023-26629	3 Oct 202520:07	–	euvd
NVD	CVE-2023-22481	6 Mar 202318:15	–	nvd
OSV	CVE-2023-22481 Sensitive information exposure in the logs of greader API in FreshRSS	6 Mar 202317:33	–	osv
Prion	Cross site request forgery (csrf)	6 Mar 202318:15	–	prion
RedhatCVE	CVE-2023-22481	23 May 202504:44	–	redhatcve
Vulnrichment	CVE-2023-22481 Sensitive information exposure in the logs of greader API in FreshRSS	6 Mar 202317:33	–	vulnrichment

NVD

Vulners

Node

freshrss freshrssRange1.9.0–1.21.0

[
  {
    "vendor": "FreshRSS",
    "product": "FreshRSS",
    "versions": [
      {
        "version": ">= 1.9.0, < 1.21.0",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/FreshRSS/FreshRSS/security/advisories/GHSA-8vvv-jxg6-8578
github	www.github.com/FreshRSS/FreshRSS/commit/075cf4c800063e3cc65c3d41a9c23222e8ebb554

Parameter	Position	Path	Description	CWE
password	request body	/greader.php	Credentials logged in cleartext in logs after authentication failure via greader API	CWE-532
request_content	path	/users/_/log_api.txt	Exposure of sensitive request data (password/API keys) through log file content (log_api.txt) when debugging info is logged	CWE-532
credentials	path	/users/_/log_api.txt	Exposure of sensitive request data (password/API keys) through log file content (log_api.txt) when debugging info is logged	CWE-532

21 Nov 2024 07:44Current

5Medium risk

Vulners AI Score5

CVSS 3.14 - 5.5

EPSS0.00048

SSVC

CWE-532