FreshRSS Cross-Site Scripting Vulnerability via Improper HTML Sanitization in iframe srcdoc Attribute

A cross-site scripting (XSS) vulnerability has been identified in FreshRSS versions prior to 1.26.2. The issue arises from improper sanitization of HTML within the iframe srcdoc attribute, allowing an attacker to load malicious UserJS into a script tag. To exploit this vulnerability, the attacker must control a feed that the victim subscribes to and have an account on the same FreshRSS instance. Successful exploitation could lead to unauthorized access to the victim's account, with potentially severe consequences if the victim is an admin.

Impact

Exploitation of this vulnerability allows an attacker to access the victim's account. If the victim is an admin, the attacker could delete all users or execute arbitrary code on the server by manipulating the update URL using fetch() through the XSS.

Reproduction

To reproduce this vulnerability, an attacker must first create an account on the FreshRSS instance and control a feed. The attacker can then upload a UserJS script that includes an XSS payload, such as one that displays the CSRF token. After this, the attacker can add an XML feed containing the XSS payload into the victim's FreshRSS account. When the feed is processed, the XSS payload will execute, exploiting the vulnerability.

Remediation

Users can update to FreshRSS version 1.26.2 or later, where this vulnerability has been patched.