Dave McDaniel of Cisco Talos discovered this vulnerability.
Cisco Talos recently discovered a cross-site scripting (XSS) vulnerability in Ghost CMS.
Ghost is a content management system with tools to build a website, publish content and send newsletters. Ghost offers paid subscriptions to members and supports a number of integrations with external services.
The TALOS-2022-1686 (CVE-2022-47194-CVE-2022-47197) shows that several XSS vulnerabilities could lead to privilege escalation.
Separating the admin domain as documented at https://ghost.org/docs/config/#admin-url will prevent this type of vulnerability from being exploited to perform privileged API calls, such as modifying a user group, adding users, etc. However, in default installations, these vulnerabilities can be used for privilege escalation via XSS. Essentially this means that, in default installations of Ghost CMS, users that can author pages and administrator users have the same privileges.
Ghost responded to notification of this advisory with: “Ghost is designed to be used by trusted users, and we are not interested in hypothetical attack vectors involving staff users attacking each other. This is not how the product is used. For any people who are using Ghost in an untrusted environment, we have clearly documented steps to add further separation of concerns between staff users... We do not consider this to be a valid report."
Cisco Talos believes these are potential security issues due to the fact that it is trivial to escalate privileges in default installations. Talos notified Ghost in adherence to Cisco’s vulnerability disclosure policy.
Talos tested and confirmed this version of Ghost could be exploited by this vulnerability: Ghost Foundation Ghost 5.9.4.
The following Snort rules will detect exploitation attempts against this vulnerability: 60764-60765. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.