Multiple cross-site scripting (XSS) vulnerabilities in GET requests in FreshRSS 1.11.1 allow remote attackers to inject arbitrary web script or HTML via the (1) c parameter or (2) a parameter.
6.1CVSS
6AI Score
0.006EPSS
FreshRSS is a free, self-hostable RSS aggregator. User configuration files can be accessed by a remote user. In addition to user preferences, such configurations contain hashed passwords (brypt with cost 9, salted) of FreshRSS Web interface. If the API is used, the configuration might contain a has...
7.5CVSS
7.6AI Score
0.003EPSS
FreshRSS is a self-hosted RSS feed aggregator. When using the greader API, the provided password is logged in clear in users/_/log_api.txt in the case where the authentication fails. The issues occurs in authorizationToUser() in greader.php. If there is an issue with the request or the credentials,...
5.5CVSS
5.6AI Score
0.0005EPSS