FreshRSS Unauthenticated Feed and Tag Information Disclosure Vulnerability

A vulnerability in FreshRSS versions through 1.26.3 allows unauthenticated users to access information about feeds and tags associated with the default admin user. This issue arises from inadequate access controls in the FreshRSS_Auth::hasAccess() function, which is not properly enforced in certain tag and feed-related endpoints. As a result, sensitive information can be leaked without authentication.

Impact

This vulnerability reveals details about the feeds and tags of the default admin user, including the number of unread articles, which could be used to infer the user's reading habits or interests.

Reproduction

The vulnerability can be reproduced by sending requests to the affected endpoints without authentication. For example, the 'nbUnreadsPerFeedAction' can be accessed to retrieve the number of unread articles for each feed, using feed IDs that can be obtained from the 'actualizeAction' endpoint. This exploitation can be automated by incrementing the ID parameter in the 'updateAction' endpoint.

Remediation

Users can upgrade to FreshRSS version 1.27.0, which addresses this vulnerability by adding the necessary access checks for feed-related actions.