Login Sign Up

CVE-2022-27139

9.8 CRITICAL
Cross-Site Scripting

📋 TL;DR

CVE-2022-27139 is an arbitrary file upload vulnerability in Ghost CMS v4.39.0 that allows authenticated users to upload SVG files containing malicious JavaScript. This primarily affects Ghost administrators and trusted users who can upload files, potentially leading to client-side attacks against visitors viewing the SVG content.

💻 Affected Systems

Products:
  • Ghost CMS
Versions: v4.39.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects authenticated users with file upload privileges. According to vendor, SVG upload functionality is intentional and only available to trusted users.

📦 What is this software?

Ghost by Ghost

View all CVEs affecting Ghost →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Trusted authenticated users could upload malicious SVG files containing JavaScript that executes in visitors' browsers, potentially leading to session hijacking, credential theft, or client-side attacks against website visitors.

🟠

Likely Case

Authenticated users with upload privileges could upload SVG files with embedded JavaScript that executes in visitors' browsers, potentially enabling cross-site scripting attacks against site visitors.

🟢

If Mitigated

If proper access controls are enforced and only trusted users have upload privileges, the impact is limited to client-side JavaScript execution within SVG files, which is intentional functionality according to the vendor.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access with file upload privileges. SVG files with embedded JavaScript can be uploaded and will execute in visitors' browsers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v4.39.1 and later

Vendor Advisory: http://ghost.org/docs/security/#privilege-escalation-attacks

Restart Required: Yes

Instructions:

1. Backup your Ghost installation and database. 2. Update Ghost to version 4.39.1 or later using npm update ghost. 3. Restart the Ghost service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Restrict SVG upload permissions

all

Limit file upload privileges to only essential, trusted administrators

Implement content security policy

all

Add CSP headers to restrict JavaScript execution from uploaded SVGs

🧯 If You Can't Patch

  • Strictly limit file upload permissions to only essential, trusted administrators
  • Implement web application firewall rules to block malicious SVG uploads

🔍 How to Verify

Check if Vulnerable:

Check Ghost version: if running v4.39.0, the system is vulnerable

Check Version:

ghost version or check package.json for Ghost version

Verify Fix Applied:

Verify Ghost version is 4.39.1 or later and test that SVG uploads are properly restricted

📡 Detection & Monitoring

Log Indicators:

  • Unusual SVG file uploads
  • Multiple SVG upload attempts from single user
  • Large or unusual SVG file sizes

Network Indicators:

  • HTTP POST requests to upload endpoints with SVG content
  • Unusual file upload patterns

SIEM Query:

source="ghost.log" AND ("upload" AND ".svg")

📊 Metadata

CVE ID: CVE-2022-27139
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: April 12, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-27139, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)