SB2023012001 - Multiple vulnerabilities in Ghost Foundation Ghost

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Insecure Default Variable Initialization (CVE-ID: CVE-2022-47195)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to an insecure default variable initialization in the Post Creation functionality. A remote user can inject arbitrary Javascript in posts, leading to privilege escalation to administrator via stored XSS vulnerability in the twitter field.

2) Insecure Default Variable Initialization (CVE-ID: CVE-2022-47196)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to an insecure default variable initialization in the codeinjection_head. A remote user can inject arbitrary Javascript in posts, leading to privilege escalation to administrator via stored XSS vulnerability in the twitter field.

3) Insecure Default Variable Initialization (CVE-ID: CVE-2022-47197)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to an insecure default variable initialization in the codeinjection_foot. A remote user can inject arbitrary Javascript in posts, leading to privilege escalation to administrator via stored XSS vulnerability in the twitter field.

4) Insecure Default Variable Initialization (CVE-ID: CVE-2022-47194)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to an insecure default variable initialization in the twitter field. A remote user can inject arbitrary Javascript in posts, leading to privilege escalation to administrator via stored XSS vulnerability in the twitter field.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://talosintelligence.com/vulnerability_reports/TALOS-2022-1686