CVE-2023-27592

Name of the Vulnerable Software and Affected Versions Miniflux versions 2.0.25 through 2.0.42

Description The issue arises when Miniflux automatically proxies images served over HTTP to prevent mixed content errors. If an outbound request made by the Go HTTP client fails, the html.ServerError is returned unescaped without the expected Content Security Policy header. An attacker can create an RSS feed item with an <img> tag containing a srcset attribute pointing to an invalid URL, coercing the proxy handler into an error condition where the invalid URL is returned unescaped. This can lead to JavaScript execution on the Miniflux instance when a user opens the broken image, allowing the attacker to execute arbitrary JavaScript in the context of the victim user and potentially gain administrative access.

Recommendations For Miniflux versions 2.0.25 through 2.0.42, update to version 2.0.43 to resolve the issue. As a temporary workaround, consider disabling the image proxy, with the default value set to http-only.