CVE-2022-47195

Name of the Vulnerable Software and Affected Versions Ghost Foundation Ghost version 5.9.4

Description An insecure default vulnerability exists in the Post Creation functionality, allowing non-administrator users to inject arbitrary Javascript in posts. This enables privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post, tricking an administrator into visiting the post. A stored XSS vulnerability also exists in the facebook field for a user.

Recommendations For Ghost Foundation Ghost version 5.9.4, consider disabling the Post Creation functionality until a patch is available. Restrict access to the facebook field for users to minimize the risk of exploitation. Avoid using the facebook field in user profiles until the issue is resolved.