How the CVE Works
The vulnerability arises from Miniflux’s weak Content Security Policy (CSP) on the `/proxy/` route. By default, the CSP was set to default-src 'self', allowing only same-origin resources. However, when processing external images via the proxy, an attacker could inject malicious JavaScript due to insufficient CSP restrictions. If a user opens a manipulated proxied image in a new tab, the attacker’s script executes in the victim’s browser context, leading to XSS. The flaw enables arbitrary code execution when interacting with malicious RSS feeds containing specially crafted media.
DailyCVE Form
Platform: Miniflux
Version: < 2.2.7
Vulnerability: XSS
Severity: Medium
Date: 2024-03-15
What Undercode Say:
Exploitation
- Craft Malicious Feed: Embed JavaScript in an image URL within an RSS feed.
<item> <>Exploit</> <enclosure url="http://attacker.com/xss.jpg" type="image/jpeg"/> </item>
- Bypass CSP: Host payload on a domain allowed by the weak `default-src ‘self’` policy.
<script>alert(document.cookie)</script>
Protection
1. Upgrade Miniflux:
docker pull miniflux/miniflux:2.2.7
2. Manual CSP Patch: Modify the proxy route’s CSP header:
add_header Content-Security-Policy "default-src 'none'; form-action 'none'; sandbox;";
3. Input Sanitization: Reject feeds with non-image MIME types in enclosures.
Detection
Check for vulnerable versions:
curl -I http://miniflux-host/proxy/example.com | grep -i "content-security-policy"
Expected output: `default-src ‘none’`
Mitigation Commands
1. Restrict proxy access:
chmod 750 /path/to/miniflux/proxy
2. Audit feeds:
SELECT FROM entries WHERE enclosure_url LIKE '%javascript%';
References
References:
Reported By: https://github.com/advisories/GHSA-cq88-842x-2jhp
Extra Source Hub:
Undercode
