CVE-2022-47196

Name of the Vulnerable Software and Affected Versions Ghost Foundation Ghost version 5.9.4

Description An insecure default vulnerability exists in the Post Creation functionality, allowing non-administrator users to inject arbitrary Javascript in posts. This enables privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post, tricking an administrator into visiting the post. A stored XSS vulnerability exists in the codeinjection head for a post.

Recommendations For Ghost Foundation Ghost version 5.9.4, consider disabling the codeinjection head functionality for posts until a patch is available. Restrict access to post creation functionality to minimize the risk of exploitation. Avoid using the post creation feature until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.