FreshRSS Content Security Policy Bypass Leading to Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in FreshRSS versions prior to 1.26.2. This issue allows arbitrary JavaScript to be executed on the feeds page. The vulnerability arises from the improper sanitization of SVG favicons in 'f.php', which can be exploited by embedding a malicious favicon in an iframe with 'sandbox' attributes that allow scripts and same-origin access. An attacker must control a feed subscribed to by the victim and have an account on the FreshRSS instance. Exploitation can occur either through user interaction or automatically after adding a feed or logging in.

Impact

Exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript in the context of the victim's account. If the victim is an admin, the attacker could delete all users or execute arbitrary code on the server by manipulating the update URL via the XSS.

Reproduction

To reproduce this vulnerability, an attacker must first control a feed that the victim subscribes to and ensure the feed entry is visible. The attacker can then embed a malicious SVG favicon containing unescaped script tags. Once the feed is loaded, the XSS payload can be delivered either by having the victim click on the feed entry or by exploiting the lazy image loading feature immediately after the feed is added or the user logs in.

Remediation

Users can update to FreshRSS version 1.26.2 or later, where this vulnerability has been patched.