CVE-2022-47196
9
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Summary
An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the codeinjection_head for a post.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Ghost Foundation | Ghost | 5.9.4 | affected |
Weaknesses
- CWE-453: CWE-453: Insecure Default Variable Initialization
ADP Enrichment
CVE Program Container
Additional References
- https://talosintelligence.com/vulnerability_reports/TALOS-2022-1686
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1686
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.