Login Sign Up

CVE-2024-23724

9.0 CRITICAL
Cross-Site Scripting

📋 TL;DR

Ghost CMS versions up to 5.76.0 contain a stored cross-site scripting (XSS) vulnerability in SVG profile picture uploads. A contributor-level attacker can upload malicious SVG files containing JavaScript that interacts with the local API on port 3001, potentially leading to account takeover of any user. The vendor disputes the validity of this attack vector.

💻 Affected Systems

Products:
  • Ghost CMS
Versions: All versions through 5.76.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires contributor-level access and local API access on port 3001. The vendor disputes the attack vector's validity.

📦 What is this software?

Ghost by Ghost

View all CVEs affecting Ghost →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Contributor compromises administrator accounts, gains full control of the Ghost instance, and potentially accesses sensitive data or deploys additional malware.

🟠

Likely Case

Contributor escalates privileges to administrator or editor roles, gaining unauthorized access to content management functions and user data.

🟢

If Mitigated

With proper input validation and content security policies, the XSS payload is neutralized before execution.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploit requires contributor credentials and knowledge of local API endpoints. Public proof-of-concept available from Rhino Security Labs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.77.0

Vendor Advisory: https://github.com/TryGhost/Ghost/pull/19646

Restart Required: Yes

Instructions:

1. Backup your Ghost instance. 2. Update Ghost to version 5.77.0 or later using your package manager or deployment method. 3. Restart the Ghost service. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable SVG uploads

all

Configure Ghost to reject SVG file uploads for profile pictures

Modify Ghost configuration to restrict allowed file types for uploads

Implement Content Security Policy

all

Add CSP headers to prevent inline script execution from uploaded content

Add 'Content-Security-Policy' header with script-src directives

🧯 If You Can't Patch

  • Restrict contributor account creation and review existing contributor permissions
  • Implement network segmentation to block access to localhost:3001 from web application context

🔍 How to Verify

Check if Vulnerable:

Check Ghost version via admin panel or run: ghost version

Check Version:

ghost version

Verify Fix Applied:

Confirm version is 5.77.0 or higher and test SVG upload functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual SVG file uploads
  • API calls to localhost:3001 from web context
  • Unexpected privilege escalation events

Network Indicators:

  • HTTP requests containing SVG with script tags
  • Outbound calls from web server to localhost:3001

SIEM Query:

source="ghost.log" AND ("svg" OR "profile" OR "upload") AND ("script" OR "javascript" OR "onload")

📊 Metadata

CVE ID: CVE-2024-23724
CVSS v3 Score: 9.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-79
Published: February 11, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-23724, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)