CVE-2023-27592 — Cross-site Scripting in V2

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

5.4MEDIUMNVD

EPSS

0.6%

top 31.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Miniflux.app V2 Miniflux Project Miniflux Miniflux V2

Timeline

PublishedMar 17

Latest updateApr 2

Description

Miniflux is a feed reader. Since v2.0.25, Miniflux will automatically proxy images served over HTTP to prevent mixed content errors. When an outbound request made by the Go HTTP client fails, the `html.ServerError` is returned unescaped without the expected Content Security Policy header added to valid responses. By creating an RSS feed item with the inline description containing an `` tag with a `srcset` attribute pointing to an invalid URL like `http:aalert(1)`, we can coerce the proxy handl…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶Gominiflux.app/v22.0.25 — 2.0.43

▶NVDminiflux_project/miniflux2.0.25 — 2.0.43

▶CVEListV5miniflux/v2>= 2.0.25, < 2.0.43

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Stored XSS in Miniflux when opening a broken image due to unescaped ServerError in proxy handler↗2025-04-02

▶

OSV

Stored XSS in Miniflux when opening a broken image due to unescaped ServerError in proxy handler↗2025-04-02

▶