FressRSS: Clickjacking can lead to XSS and/or privilege escalation

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Description

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below contain a vulnerability where a specially crafted page can trick a user into executing arbitrary JS code or promoting a user in FreshRSS by obscuring UI elements in iframes. If embedding an authenticated iframe is possible, this may lead to privilege escalation via obscuring the promote user button in the admin UI or XSS by tricking the user to drag content into the UserJS text area. This is fixed in version 1.27.0

Basic Information

ID CVE-2025-57769

Source GitHub_M

Published Sep 29, 2025 at 21:37

Affected Product

Vendor FreshRSS

Product FreshRSS

Version < 1.27.0

Affected Versions FreshRSS FreshRSS < 1.27.0

CWE Classification

CWE-79 CWE-1021

References

{
    "lastseen": "",
    "description": "FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below contain a vulnerability where a specially crafted page can trick a user into executing arbitrary JS code or promoting a user in FreshRSS by obscuring UI elements in iframes. If embedding an authenticated iframe is possible, this may lead to privilege escalation via obscuring the promote user button in the admin UI or XSS by tricking the user to drag content into the UserJS text area. This is fixed in version 1.27.0",
    "published": "2025-09-29T21:37:29.491Z",
    "modified": "2025-09-29T21:37:52.895Z",
    "type": "cve",
    "title": "FressRSS: Clickjacking can lead to XSS and/or privilege escalation",
    "source": "GitHub_M",
    "references": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-wm5p-7pr7-c8rw\nhttps://github.com/FreshRSS/FreshRSS/pull/7677\nhttps://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0",
    "id": "CVE-2025-57769",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79",
        "CWE-1021"
    ],
    "cvelist": null,
    "sourceData": "FreshRSS FreshRSS < 1.27.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "FreshRSS",
    "version": "< 1.27.0",
    "vendor": "FreshRSS",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

FressRSS: Clickjacking can lead to XSS and/or privilege escalation_CVE-2025-57769