medium
5.4
CWE
79
Advisory Published
Advisory Published
Updated

CVE-2023-27592: Stored XSS in Miniflux when opening a broken image due to unescaped ServerError in proxy handler

First published: Fri Mar 17 2023(Updated: )

### Impact Since [v2.0.25](https://github.com/miniflux/v2/releases/tag/2.0.25), Miniflux will automatically [proxy](https://miniflux.app/docs/configuration.html#proxy-images) images served over HTTP to prevent mixed content errors. When an outbound request made by the Go HTTP client fails, the `html.ServerError` is [returned](https://github.com/miniflux/v2/blob/b2fd84e0d376a3af6329b9bb2e772ce38a25c31c/ui/proxy.go#L76) unescaped without the expected Content Security Policy [header](https://github.com/miniflux/v2/blob/b2fd84e0d376a3af6329b9bb2e772ce38a25c31c/ui/proxy.go#L90) added to valid responses. By creating an RSS feed item with the inline description containing an `<img>` tag with a `srcset` attribute pointing to an invalid URL like `http:a<script>alert(1)</script>`, we can coerce the proxy handler into an error condition where the invalid URL is returned unescaped and in full. This results in JavaScript execution on the Miniflux instance as soon as the user is convinced (e.g. by a message in the alt text) to open the broken image. An attacker can execute arbitrary JavaScript in the context of a victim Miniflux user when they open a broken image in a crafted RSS feed. This can be used to perform actions on the Miniflux instance as that user and gain administrative access to the Miniflux instance if it is reachable and the victim is an administrator. ### Patches PR #1746 fixes the problem. Available in Miniflux >= 2.0.43. ### Workarounds - Disable image proxy (default value is `http-only`). ### References - https://miniflux.app/docs/configuration.html#proxy-images

Credit: security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Miniflux>=2.0.25<2.0.43
go/miniflux.app/v2>=2.0.25<2.0.43
2.0.43

Remedy

https://github.com/miniflux/v2/pull/1746

Remedy

https://github.com/miniflux/v2/security/advisories/GHSA-mqqg-xjhj-wfgw

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2023-27592?

    CVE-2023-27592 has a medium severity rating due to potential risks associated with proxying images served over HTTP.

  • How do I fix CVE-2023-27592?

    To address CVE-2023-27592, upgrade Miniflux to version 2.0.43 or later.

  • What versions of Miniflux are affected by CVE-2023-27592?

    CVE-2023-27592 affects Miniflux versions between 2.0.25 and 2.0.43, excluding 2.0.43.

  • What is the potential impact of CVE-2023-27592?

    The impact of CVE-2023-27592 includes the risk of mixed content errors when proxying HTTP images.

  • Is there a workaround for CVE-2023-27592?

    The recommended workaround for CVE-2023-27592 is to immediately upgrade to the fixed version, as no temporary workaround is provided.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203