{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-46339", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-04-22T22:41:54.912Z", "datePublished": "2025-06-04T20:04:54.504Z", "dateUpdated": "2025-06-04T20:48:49.550Z"}, "containers": {"cna": {"title": "FreshRSS vulnerable to favicon cache poisoning via proxy", "problemTypes": [{"descriptions": [{"cweId": "CWE-349", "lang": "en", "description": "CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-8f79-3q3w-43c4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-8f79-3q3w-43c4"}, {"name": "https://github.com/FreshRSS/FreshRSS/commit/3776e1e48f33e80eb4b674bb64b419caf3b5a4e2", "tags": ["x_refsource_MISC"], "url": "https://github.com/FreshRSS/FreshRSS/commit/3776e1e48f33e80eb4b674bb64b419caf3b5a4e2"}], "affected": [{"vendor": "FreshRSS", "product": "FreshRSS", "versions": [{"version": "< 1.26.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-04T20:04:54.504Z"}, "descriptions": [{"lang": "en", "value": "FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to poison feed favicons by adding a given URL as a feed with the proxy set to an attacker-controlled one and disabled SSL verifying. The favicon hash is computed by hashing the feed URL and the salt, whilst not including the following variables: proxy address, proxy protocol, and whether SSL should be verified. Therefore it's possible to poison a favicon of a given feed by simply intercepting the response of the feed, and changing the website URL to one where a threat actor controls the feed favicon. Feed favicons can be replaced for all users by anyone. Version 1.26.2 fixes the issue."}], "source": {"advisory": "GHSA-8f79-3q3w-43c4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-04T20:48:40.460533Z", "id": "CVE-2025-46339", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-04T20:48:49.550Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-46339", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-04T20:48:40.460533Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-04T20:48:45.506Z"}}], "cna": {"title": "FreshRSS vulnerable to favicon cache poisoning via proxy", "source": {"advisory": "GHSA-8f79-3q3w-43c4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "FreshRSS", "product": "FreshRSS", "versions": [{"status": "affected", "version": "< 1.26.2"}]}], "references": [{"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-8f79-3q3w-43c4", "name": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-8f79-3q3w-43c4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/FreshRSS/FreshRSS/commit/3776e1e48f33e80eb4b674bb64b419caf3b5a4e2", "name": "https://github.com/FreshRSS/FreshRSS/commit/3776e1e48f33e80eb4b674bb64b419caf3b5a4e2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to poison feed favicons by adding a given URL as a feed with the proxy set to an attacker-controlled one and disabled SSL verifying. The favicon hash is computed by hashing the feed URL and the salt, whilst not including the following variables: proxy address, proxy protocol, and whether SSL should be verified. Therefore it's possible to poison a favicon of a given feed by simply intercepting the response of the feed, and changing the website URL to one where a threat actor controls the feed favicon. Feed favicons can be replaced for all users by anyone. Version 1.26.2 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-349", "description": "CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-04T20:04:54.504Z"}}}, "cveMetadata": {"cveId": "CVE-2025-46339", "state": "PUBLISHED", "dateUpdated": "2025-06-04T20:48:49.550Z", "dateReserved": "2025-04-22T22:41:54.912Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-06-04T20:04:54.504Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:freshrss:freshrss:*:*:*:*:*:*:*:*", "matchCriteriaId": "5750A689-0869-499D-8A26-E5088B31DDF4", "versionEndExcluding": "1.26.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to poison feed favicons by adding a given URL as a feed with the proxy set to an attacker-controlled one and disabled SSL verifying. The favicon hash is computed by hashing the feed URL and the salt, whilst not including the following variables: proxy address, proxy protocol, and whether SSL should be verified. Therefore it's possible to poison a favicon of a given feed by simply intercepting the response of the feed, and changing the website URL to one where a threat actor controls the feed favicon. Feed favicons can be replaced for all users by anyone. Version 1.26.2 fixes the issue."}, {"lang": "es", "value": "FreshRSS es un agregador de feeds RSS autoalojado. Antes de la versi\u00f3n 1.26.2, era posible envenenar los faviconos de un feed a\u00f1adiendo una URL como feed con un proxy configurado como uno controlado por el atacante y con la verificaci\u00f3n SSL deshabilitada. El hash del favicon se calcula mediante el hash de la URL del feed y la sal, sin incluir las siguientes variables: direcci\u00f3n del proxy, protocolo del proxy y si se debe verificar SSL. Por lo tanto, es posible envenenar el favicon de un feed simplemente interceptando la respuesta del feed y cambiando la URL del sitio web a una donde un atacante controle el favicon del feed. Cualquiera puede reemplazar los faviconos del feed para todos los usuarios. La versi\u00f3n 1.26.2 soluciona este problema."}], "id": "CVE-2025-46339", "lastModified": "2025-08-12T15:33:57.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-06-04T20:15:23.817", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/FreshRSS/FreshRSS/commit/3776e1e48f33e80eb4b674bb64b419caf3b5a4e2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-8f79-3q3w-43c4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-349"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"created": "2025-06-23T19:31:59.136489+00:00", "updated": "2025-06-23T19:31:59.136535+00:00", "vendors": ["freshrss", "freshrss$PRODUCT$freshrss"]}