FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

tt-rss -- multiple vulnerabilities

Affected packages
tt-rss < g20200919


VuXML ID 2eec1e85-faf3-11ea-8ac0-4437e6ad11c4
Discovery 2020-09-15
Entry 2020-09-20

tt-rss project reports:

The cached_url feature mishandles JavaScript inside an SVG document.

imgproxy in plugins/af_proxy_http/init.php mishandles $_REQUEST["url"] in an error message.

It does not validate all URLs before requesting them.

Allows remote attackers to execute arbitrary PHP code via a crafted plural forms header.


CVE Name CVE-2016-6175
CVE Name CVE-2020-25787
CVE Name CVE-2020-25788
CVE Name CVE-2020-25789