CVE-2025-54592

High CVSS: 8.8

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not properly terminate the session during logout. After a user logs out, the session cookie remains active and unchanged. The unchanged cookie could be reused by an attacker if a new session were to be started. This failure to invalidate the session can lead to session hijacking and fixation vulnerabilities. This issue is fixed in version 1.27.0

Vendor

Freshrss

Product

Freshrss

CWE

CWE-613

Yayın Tarihi

2025-09-29 22:15:36

Güncelleme

2025-10-03 16:04:21

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-613 Freshrss HIGH Freshrss 2025

Referanslar

https://github.com/FreshRSS/FreshRSS/pull/7762 https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0 https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-42v4-65f8-5wgr https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-42v4-65f8-5wgr

Benzer Kayıtlar

High

CVE-2025-62166

FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication…

Medium

CVE-2025-68148

FreshRSS is a free, self-hostable RSS aggregator. From version 1.27.0 to before 1.28.0, An attacker could globally deny…

Low

CVE-2025-68932

FreshRSS is a free, self-hostable RSS aggregator. Prior to version 1.28.0, FreshRSS uses cryptographically weak random n…

Medium

CVE-2025-59949

FreshRSS is a free, self-hostable RSS aggregator. Versions prior to 1.27.1 have a logout cross-site request forgery vuln…

High

CVE-2025-58173

FreshRSS is a self-hosted RSS feed aggregator. In versions 1.23.0 through 1.27.0, using a path traversal inside the `lan…

Medium

CVE-2025-61586

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below are vulnerable to directory enumeration by s…