FreshRSS Arbitrary Code Execution Vulnerability for Authenticated Administrators

A vulnerability allowing authenticated administrator users to execute arbitrary code on the FreshRSS server has been identified in versions prior to 1.26.2. This issue arises from the ability to modify the update URL to one controlled by the user. After changing the URL, the user can execute the code by running an update. Exploitation of this vulnerability could lead to unauthorized code execution, allowing for exfiltration of user data, including hashed passwords, defacement of the instance (if file permissions permit), and insertion of malicious code to steal plaintext passwords, among other actions.

Impact

Successful exploitation allows for arbitrary code execution on the server, with potential exfiltration of user data, including hashed passwords. The affected instance could be defaced, and if file permissions allow, malicious code could be inserted to steal plaintext passwords.

Reproduction

To reproduce this vulnerability, an authenticated administrator user can modify the auto-update URL in the FreshRSS configuration to point to a server they control. After saving the changes, the user can manually trigger an update, which will execute any code placed at the specified URL.

Remediation

Users are advised to update FreshRSS to version 1.26.2 or later. Instructions for updating can be found in the FreshRSS documentation.