CVE-2022-47197 — MEDIUM (5.4)

Vulnerability Description

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_foot` for a post.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Ghost	Ghost	5.9.4

Related Weaknesses (CWE)

CWE-79 CWE-453

References

https://talosintelligence.com/vulnerability_reports/TALOS-2022-1686ExploitThird Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1686ExploitThird Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1686

FAQ

What is CVE-2022-47197?

CVE-2022-47197 is a vulnerability with a CVSS score of 5.4 (MEDIUM). An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript...

How severe is CVE-2022-47197?

CVE-2022-47197 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-47197?

Check the references section above for vendor advisories and patch information. Affected products include: Ghost Ghost.