We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-31483

Stored XSS in Miniflux Media Proxy due to improper Content-Security-Policy configuration



Description

Miniflux is a feed reader. Due to a weak Content Security Policy on the /proxy/* route, an attacker can bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab/window. To mitigate the vulnerability, the CSP for the media proxy has been changed from default-src 'self' to default-src 'none'; form-action 'none'; sandbox;. This vulnerability is fixed in 2.2.7.

Reserved 2025-03-28 | Published 2025-04-03 | Updated 2025-04-03 | Assigner GitHub_M


MEDIUM: 4.8CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 2.2.7
affected

References

github.com/...lux/v2/security/advisories/GHSA-cq88-842x-2jhp

github.com/...ommit/cb695e653a08af4cabcb277c271ce74bd0c746e6

cve.org (CVE-2025-31483)

nvd.nist.gov (CVE-2025-31483)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-31483

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.