CVE-2022-27139

Name of the Vulnerable Software and Affected Versions Ghost version 4.39.0

Description The issue concerns an arbitrary file upload vulnerability in the file upload module, potentially allowing attackers to execute arbitrary code via a crafted SVG file. However, the vendor states that uploading SVG files does not represent a remote code execution vulnerability, as SVGs are not executable on the server and may only execute JavaScript in a client's browser, which is expected and intentional functionality. The upload of SVGs is only possible by trusted authenticated users.

Recommendations For Ghost version 4.39.0, consider restricting the upload of SVG files to trusted users or disabling the file upload module temporarily until further guidance is provided. However, according to the vendor, the current functionality is intentional and does not pose a remote code execution risk. At the moment, there is no information about a newer version that contains a fix for this vulnerability.