Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Insecure file access in FreshRSS
Vulnerability Description
FreshRSS is a free, self-hostable RSS aggregator. User configuration files can be accessed by a remote user. In addition to user preferences, such configurations contain hashed passwords (brypt with cost 9, salted) of FreshRSS Web interface. If the API is used, the configuration might contain a hashed password (brypt with cost 9, salted) of the GReader API, and a hashed password (MD5 salted) of the Fever API. Users should update to version 1.20.2 or edge. Users unable to upgrade can apply the patch manually or delete the file `./FreshRSS/p/ext.php`.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Vulnerability Type
信息暴露
Vulnerability Title
FreshRSS 信息泄露漏洞
Vulnerability Description
FreshRSS是FreshRSS开源的一个免费的、可自行托管的 RSS 聚合器。 FreshRSS 1.20.2之前版本存在信息泄露漏洞,该漏洞源于远程用户可以访问用户配置文件,此类配置包含Web界面的散列密码,如果使用 API,配置可能包含GReader API的哈希密码和Fever API的哈希密码。
CVSS Information
N/A
Vulnerability Type
N/A