CVE-2023-27592

Published on: Not Yet Published

Last Modified on: 03/17/2023 08:15:00 PM UTC

CVE-2023-27592 - advisory for GHSA-mqqg-xjhj-wfgw

Certain versions of V2 from Miniflux contain the following vulnerability:

Miniflux is a feed reader. Since v2.0.25, Miniflux will automatically proxy images served over HTTP to prevent mixed content errors. When an outbound request made by the Go HTTP client fails, the `html.ServerError` is returned unescaped without the expected Content Security Policy header added to valid responses. By creating an RSS feed item with the inline description containing an `<img>` tag with a `srcset` attribute pointing to an invalid URL like `http:a<script>alert(1)</script>`, we can coerce the proxy handler into an error condition where the invalid URL is returned unescaped and in full. This results in JavaScript execution on the Miniflux instance as soon as the user is convinced (e.g. by a message in the alt text) to open the broken image. An attacker can execute arbitrary JavaScript in the context of a victim Miniflux user when they open a broken image in a crafted RSS feed. This can be used to perform actions on the Miniflux instance as that user and gain administrative access to the Miniflux instance if it is reachable and the victim is an administrator. A patch is available in version 2.0.43. As a workaround sisable image proxy; default value is `http-only`.

CVE-2023-27592 has been assigned by [email protected] to track the vulnerability
Affected Vendor/Software: miniflux - v2 version = >= 2.0.25, < 2.0.43

CVE References

Description	Tags ^ⓘ	Link
Configuration Parameters	miniflux.app text/html	MISC miniflux.app/docs/configuration.html#proxy-images
Stored XSS in Miniflux when opening a broken image due to unescaped ServerError in proxy handler · Advisory · miniflux/v2 · GitHub	github.com text/html	MISC github.com/miniflux/v2/security/advisories/GHSA-mqqg-xjhj-wfgw
Release Miniflux 2.0.43 · miniflux/v2 · GitHub	github.com text/html	MISC github.com/miniflux/v2/releases/tag/2.0.43
v2/proxy.go at b2fd84e0d376a3af6329b9bb2e772ce38a25c31c · miniflux/v2 · GitHub	github.com text/html	MISC github.com/miniflux/v2/blob/b2fd84e0d376a3af6329b9bb2e772ce38a25c31c/ui/proxy.go#L76
v2/proxy.go at b2fd84e0d376a3af6329b9bb2e772ce38a25c31c · miniflux/v2 · GitHub	github.com text/html	MISC github.com/miniflux/v2/blob/b2fd84e0d376a3af6329b9bb2e772ce38a25c31c/ui/proxy.go#L90
Avoid XSS when opening a broken image due to unescaped ServerError in proxy handler by fguillot · Pull Request #1746 · miniflux/v2 · GitHub	github.com text/html	MISC github.com/miniflux/v2/pull/1746
Release Miniflux 2.0.25 · miniflux/v2 · GitHub	github.com text/html	MISC github.com/miniflux/v2/releases/tag/2.0.25

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

There are currently no QIDs associated with this CVE

Known Affected Software

Vendor	Product	Version
Miniflux	v2	= >= 2.0.25, < 2.0.43

No vendor comments have been submitted for this CVE

Social Mentions

Source	Title	Posted (UTC)
@CVEreport	CVE-2023-27592 : Miniflux is a feed reader. Since v2.0.25, Miniflux will automatically proxy images served over HTT… twitter.com/i/web/status/1…	2023-03-17 20:04:49
/r/netcve	CVE-2023-27592	2023-03-17 20:38:47