Headline
Vulnerability Spotlight: XSS vulnerability in Ghost CMS
Dave McDaniel of Cisco Talos discovered this vulnerability. Cisco Talos recently discovered a cross-site scripting (XSS) vulnerability in Ghost CMS. Ghost is a content management system with tools to build a website, publish content and send newsletters. Ghost offers paid subscriptions to members and supports a number of integrations with
Thursday, January 19, 2023 15:01
Dave McDaniel of Cisco Talos discovered this vulnerability.
Cisco Talos recently discovered a cross-site scripting (XSS) vulnerability in Ghost CMS.
Ghost is a content management system with tools to build a website, publish content and send newsletters. Ghost offers paid subscriptions to members and supports a number of integrations with external services.
The TALOS-2022-1686 (CVE-2022-47194-CVE-2022-47197) shows that several XSS vulnerabilities could lead to privilege escalation.
Ghost CMS separates users into four groups (five, if including the site owner) of increasing privilege: Contributor, Author, Editor and Administrator. Contributor users have the least privilege and are allowed to create but not publish posts. All users have the ability to include social media links, as well as a few other pieces of information that will be included on their posts and author pages. A stored XSS vulnerability exists in a number of these fields, and it can be leveraged from basic user attacks to full privilege escalation. As with any XSS, it does require a target user with the correct access level to access affected resources while logged in to trigger the injected Javascript. The vulnerabilities listed here can be triggered when a higher-level user simply previews or visits any post by the malicious user, as these social links seem to be included in all of a user’s posts. We have confirmed that a full privilege escalation to administrator can be achieved with the correct Javascript payload.
Separating the admin domain as documented at https://ghost.org/docs/config/#admin-url will prevent this type of vulnerability from being exploited to perform privileged API calls, such as modifying a user group, adding users, etc. However, in default installations, these vulnerabilities can be used for privilege escalation via XSS. Essentially this means that, in default installations of Ghost CMS, users that can author pages and administrator users have the same privileges.
Ghost responded to notification of this advisory with: “Ghost is designed to be used by trusted users, and we are not interested in hypothetical attack vectors involving staff users attacking each other. This is not how the product is used. For any people who are using Ghost in an untrusted environment, we have clearly documented steps to add further separation of concerns between staff users… We do not consider this to be a valid report."
Cisco Talos believes these are potential security issues due to the fact that it is trivial to escalate privileges in default installations. Talos notified Ghost in adherence to Cisco’s vulnerability disclosure policy.
Talos tested and confirmed this version of Ghost could be exploited by this vulnerability: Ghost Foundation Ghost 5.9.4.
The following Snort rules will detect exploitation attempts against this vulnerability: 60764-60765. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.
Related news
An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_foot` for a post.
An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_foot` for a post.