CVE-2023-27592: Stored XSS in Miniflux when opening a broken image due to unescaped ServerError in proxy handler
Since v2.0.25, Miniflux will automatically proxy images served over HTTP to prevent mixed content errors.
References
- github.com/advisories/GHSA-mqqg-xjhj-wfgw
- github.com/miniflux/v2
- github.com/miniflux/v2/blob/b2fd84e0d376a3af6329b9bb2e772ce38a25c31c/ui/proxy.go
- github.com/miniflux/v2/blob/b2fd84e0d376a3af6329b9bb2e772ce38a25c31c/ui/proxy.go
- github.com/miniflux/v2/pull/1746
- github.com/miniflux/v2/releases/tag/2.0.25
- github.com/miniflux/v2/releases/tag/2.0.43
- github.com/miniflux/v2/security/advisories/GHSA-mqqg-xjhj-wfgw
- miniflux.app/docs/configuration.html
- nvd.nist.gov/vuln/detail/CVE-2023-27592
Code Behaviors & Features
Detect and mitigate CVE-2023-27592 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →