CVE-2023-22481
March 06, 2023
FreshRSS is a self-hosted RSS feed aggregator. When using the greader API, the provided password is logged in clear in "users/_/log_api.txt" in the case where the authentication fails. The issues occurs in "authorizationToUser()" in "greader.php". If there is an issue with the request or the credentials, "unauthorized()" or "badRequest()" is called. Both these functions are printing the return of "debugInfo()" in the logs. "debugInfo()" will return the content of the request. By default, this will be saved in "users/_/log_api.txt" and if the const "COPY_LOG_TO_SYSLOG" is true, in syslogs as well. Exploiting this issue requires having access to logs produced by FreshRSS. Using the information from the logs, a malicious individual could get users' API keys (would be displayed if the users fills in a bad username) or passwords.
Related Resources (4)
Do you need more information?
Contact UsCVSS v4
Base Score:
4.1
Attack Vector
ADJACENT
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4
Attack Vector
ADJACENT
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Insertion of Sensitive Information into Log File
EPSS
Base Score:
0.06
