CVE-2025-31483
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-31483
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-31483.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-31483
- Aliases
- Related
- Published
- 2025-04-03T18:15:47Z
- Modified
- 2025-04-09T17:42:02.482719Z
- Summary
- [none]
- Details
-
Miniflux is a feed reader. Due to a weak Content Security Policy on the /proxy/* route, an attacker can bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab/window. To mitigate the vulnerability, the CSP for the media proxy has been changed from default-src 'self' to default-src 'none'; form-action 'none'; sandbox;. This vulnerability is fixed in 2.2.7.
- References
Affected packages
Git / github.com/miniflux/v2
Affected ranges
- Type
- GIT
- Repo
- https://github.com/miniflux/v2
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
2.*
2.0.0
2.0.0-rc1
2.0.1
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.16
2.0.17
2.0.18
2.0.19
2.0.2
2.0.20
2.0.21
2.0.22
2.0.23
2.0.24
2.0.25
2.0.26
2.0.27
2.0.28
2.0.29
2.0.3
2.0.30
2.0.31
2.0.32
2.0.33
2.0.34
2.0.35
2.0.36
2.0.37
2.0.38
2.0.39
2.0.4
2.0.40
2.0.41
2.0.42
2.0.43
2.0.44
2.0.45
2.0.46
2.0.47
2.0.48
2.0.49
2.0.5
2.0.50
2.0.51
2.0.6
2.0.7
2.0.8
2.0.9
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
v1.*
v1.0.46
v2.*
v2.0.46
v2.0.47
v2.0.48
v2.0.49
v2.0.51
v2.1.1
v2.1.2
v2.2.0
v2.2.3