CVE-2025-59950
6.7
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L
Summary
FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.3 and below, due to a bypass of double clickjacking protection (confirmation dialog), it is possible to trick the admin into clicking the Promote button in another user's management page after the admin double clicks on a button inside an attacker-controlled website. A successful attack can allow the attacker to promote themselves to "admin" and log into other users' accounts; the attacker has to know the specific instance URL they're targeting. This issue is fixed in version 1.27.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| FreshRSS | FreshRSS | < 1.27.0 | affected |
Weaknesses
- CWE-1021: CWE-1021: Improper Restriction of Rendered UI Layers or Frames
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
Additional References
References
- https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-j66v-hvqx-5vh3
- https://github.com/FreshRSS/FreshRSS/pull/7771
- https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.