Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
FreshRSS vulnerable to authenticated RCE via path traversal inside include()
Vulnerability Description
FreshRSS is a self-hosted RSS feed aggregator. In versions 1.23.0 through 1.27.0, using a path traversal inside the `language` user configuration parameter, it's possible to call `install.php` and perform various administrative actions as an unprivileged user. These actions include logging in as the admin, creating a new admin user, or set the database to an attacker-controlled MySQL server and abuse it to execute code in FreshRSS by setting malicious feed `curl_params` inside the `feed` table. Version 1.27.1 fixes the issue.
CVSS Information
N/A
Vulnerability Type
输入验证不恰当
Vulnerability Title
FreshRSS 路径遍历漏洞
Vulnerability Description
FreshRSS是FreshRSS开源的一个免费的、可自行托管的 RSS 聚合器。 FreshRSS存在路径遍历漏洞。攻击者利用该漏洞可以执行代码。
CVSS Information
N/A
Vulnerability Type
N/A