CVE-2025-59948
BaseFortify
Publication date: 2025-09-29
Last updated on: 2025-10-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freshrss | freshrss | to 1.27.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in FreshRSS (versions 1.26.3 and below) allows an attacker to execute a cross-site scripting (XSS) payload by exploiting unsanitized event handler attributes in feed content. The attack requires the 'Allow API access authentication' setting to be enabled and targets the api/query.php endpoint. Through this XSS, an attacker can take over user accounts by changing passwords, persisting malicious scripts, stealing autofill passwords, or displaying phishing pages with spoofed URLs. If the victim is an administrator, the attacker can also perform administrative actions. The issue is fixed in version 1.27.0.
How can this vulnerability impact me? :
This vulnerability can lead to account takeover, including administrative accounts, allowing attackers to perform unauthorized actions within the FreshRSS instance. It can result in theft of sensitive information such as passwords, persistent malicious scripts running in users' browsers, and phishing attacks via spoofed URLs. Overall, it compromises the security and integrity of the FreshRSS service and its users.
What immediate steps should I take to mitigate this vulnerability?
Upgrade FreshRSS to version 1.27.0 or later, as this version fixes the vulnerability. Additionally, consider disabling the 'Allow API access authentication' setting if it is not required, to reduce the attack surface.