CVE-2022-47194

Name of the Vulnerable Software and Affected Versions Ghost versions 5.9.4

Description An insecure default issue exists in the Post Creation functionality, allowing non-administrator users to inject arbitrary Javascript in posts. This enables privilege escalation to administrator via XSS. An attacker can trigger this by sending an HTTP request to inject Javascript in a post, tricking an administrator into visiting it. A stored XSS issue also exists in the twitter field for a user.

Recommendations For version 5.9.4, consider disabling the Post Creation functionality until a patch is available. Restrict access to the twitter field to minimize the risk of exploitation. Avoid using the twitter field in user profiles until the issue is resolved.