CVE-2025-54591 (CNNVD-202509-4337)
中文标题:
FreshRSS 访问控制错误漏洞
英文标题:
FreshRSS: Unauthenticated users can view default user's information
漏洞描述
中文描述:
FreshRSS是FreshRSS开源的一个免费的、可自行托管的 RSS 聚合器。 FreshRSS 1.26.3及之前版本存在访问控制错误漏洞,该漏洞源于FreshRSS_Auth::hasAccess函数缺少访问检查,可能导致信息泄露。
英文描述:
FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below expose information about feeds and tags of default admin users, due to lack of access checking in the FreshRSS_Auth::hasAccess() function used by some of the tag/feed related endpoints. FreshRSS controllers usually have a defined firstAction() method with an override to make sure that every action requires access. If one doesn't, then every action has to check for access manually, and certain endpoints use neither the firstAction() method, or do they perform a manual access check. This issue is fixed in version 1.27.0.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| FreshRSS | FreshRSS | < 1.27.0 | - | - |
cpe:2.3:a:freshrss:freshrss:<_1.27.0:*:*:*:*:*:*:*
|
| freshrss | freshrss | * | - | - |
cpe:2.3:a:freshrss:freshrss:*:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
3.1 (cna)
HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-54591 |
2025-11-11 15:23:29 | 2025-11-11 07:40:42 |
| NVD | nvd_CVE-2025-54591 |
2025-11-11 15:01:04 | 2025-11-11 07:48:29 |
| CNNVD | cnnvd_CNNVD-202509-4337 |
2025-11-11 15:12:59 | 2025-11-11 08:00:14 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 授权问题
- cnnvd_id: 未提取 -> CNNVD-202509-4337
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- affected_products_count: 1 -> 2
- data_sources: ['cve'] -> ['cve', 'nvd']