CVE-2023-27592

EPSS 0.49%
Veröffentlicht 17.03.2023 20:15:13
Zuletzt bearbeitet 21.11.2024 07:53:13
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Miniflux is a feed reader. Since v2.0.25, Miniflux will automatically proxy images served over HTTP to prevent mixed content errors. 

When an outbound request made by the Go HTTP client fails, the `html.ServerError` is returned unescaped without the expected Content Security Policy header added to valid responses.

By creating an RSS feed item with the inline description containing an `<img>` tag with a `srcset` attribute pointing to an invalid URL like `http:a<script>alert(1)</script>`, we can coerce the proxy handler into an error condition where the invalid URL is returned unescaped and in full.

This results in JavaScript execution on the Miniflux instance as soon as the user is convinced (e.g. by a message in the alt text) to open the broken image.

An attacker can execute arbitrary JavaScript in the context of a victim Miniflux user when they open a broken image in a crafted RSS feed. This can be used to perform actions on the Miniflux instance as that user and gain administrative access to the Miniflux instance if it is reachable and the victim is an administrator.

A patch is available in version 2.0.43. As a workaround sisable image proxy; default value is `http-only`.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 10

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Miniflux Project ≫ Miniflux SwPlatformgo Version >= 2.0.25 < 2.0.43

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.49%	0.648

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	4.8	1.2	3.6	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/miniflux/v2/releases/tag/2.0.43

Release Notes

https://github.com/miniflux/v2/blob/b2fd84e0d376a3af6329b9bb2e772ce38a25c31c/ui/proxy.go#L76

Product

https://github.com/miniflux/v2/blob/b2fd84e0d376a3af6329b9bb2e772ce38a25c31c/ui/proxy.go#L90

Product

https://github.com/miniflux/v2/pull/1746

Patch

Issue Tracking

https://github.com/miniflux/v2/releases/tag/2.0.25

Release Notes

https://github.com/miniflux/v2/security/advisories/GHSA-mqqg-xjhj-wfgw