4 matches found
CVE-2025-46341
FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, when the server is using HTTP auth via reverse proxy, it's possible to impersonate any user either via the Remote-User header or the X-WebAuth-User header by making specially crafted requests via the add feed functionality an...
CVE-2025-46341
FreshRSS before 1.26.2 is vulnerable to user impersonation via HTTP auth when behind a reverse proxy. An attacker who knows the proxied instance IP, the admin username, and has an account can craft requests through the add feed flow to obtain a CSRF token and impersonate other users using the Rem...
CVE-2025-46341 Privilege escalation via SSRF when using HTTP auth
FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, when the server is using HTTP auth via reverse proxy, it's possible to impersonate any user either via the Remote-User header or the X-WebAuth-User header by making specially crafted requests via the add feed functionality an...
CVE-2025-46341 Privilege escalation via SSRF when using HTTP auth
FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, when the server is using HTTP auth via reverse proxy, it's possible to impersonate any user either via the Remote-User header or the X-WebAuth-User header by making specially crafted requests via the add feed functionality an...