CVE-2025-31483

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-31483
Miniflux is a feed reader. Due to a weak Content Security Policy on the /proxy/* route, an attacker can bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab/window. To mitigate the vulnerability, the CSP for the media proxy has been changed from default-src 'self' to default-src 'none'; form-action 'none'; sandbox;. This vulnerability is fixed in 2.2.7.
CVSS

No CVSS.

References
Link Resource
https://github.com/miniflux/v2/commit/cb695e653a08af4cabcb277c271ce74bd0c746e6
https://github.com/miniflux/v2/security/advisories/GHSA-cq88-842x-2jhp
Configurations

No configuration.

History

07 Apr 2025, 14:18

Type Values Removed Values Added
Summary
  • (es) Miniflux es un lector de feeds. Debido a una política de seguridad de contenido (CSP) débil en la ruta /proxy/*, un atacante puede eludir la CSP del proxy multimedia y ejecutar cross-site scripting al abrir imágenes externas en una nueva pestaña o ventana. Para mitigar la vulnerabilidad, la CSP del proxy multimedia se ha cambiado de `default-src 'self' a `default-src 'none'; form-action 'none'; sandbox;`. Esta vulnerabilidad se corrigió en la versión 2.2.7.

03 Apr 2025, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-04-03 18:15

Updated : 2025-04-07 14:18

NVD link : CVE-2025-31483

Mitre link : CVE-2025-31483

CVE.ORG link : CVE-2025-31483

JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')