Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Ghost Blog 0.11.3 Cross Site Scripting

🗓️ 20 Jan 2017 00:00:00Reported by Patrick CostaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 70 Views

Ghost Blog 0.11.3 XSS vulnerability exposes user dat

Code
`=====[ Tempest Security Intelligence - ADV-9/2017 ]========================  
  
Persistent Cross-Site Scripting (XSS) in Ghost  
-------------------------------------------------------  
Author:  
- Patrick Costa < patrickrbcosta () gmail.com >   
  
Tempest Security Intelligence - Recife, Pernambuco - Brazil  
  
=====[ Table of Contents ]=================================================  
  
1. Overview  
2. Detailed description   
3. Affected versions & Solutions   
4. Timeline of disclosure   
5. Thanks & Acknowledgements   
6. References  
  
=====[ Overview ]==========================================================  
  
* System affected : Ghost Blog [1]  
* Version : 0.11.3 previous versions or models may also be  
affected. [2]  
* Impact : This vulnerability allows an attacker to use Ghost's  
platform to deliver attacks against other users.  
  
=====[ Detailed description ]==============================================  
  
Ghost version 0.11.3 is vulnerable to persistent cross-site scripting  
(XSS) because it fails to securely handle user data, thus making it  
possible for an attacker to supply crafted input in order to harm third  
party users.  
  
The affected point is the website input field located within the "Your  
profile" page. In order to reproduce the vulnerability, access the URL  
http(s)://{{ blog URL }}/ghost/team/{{ user slug }}/ and edit the user  
website inserting the following payload:  
  
{{ valid URL }}/</script><script>alert(1)</script>  
  
Save changes and visit any post created by this author or the author's  
page at http(s)://{{ blog URL}}/author/{{ user slug }}/.  
  
It is worth noting that the issue may affect users regardless of  
privilege levels, since the malicious page can be browsed by an admin,  
the owner or a regular visitor.  
  
=====[ Aggravating factors ]===============================================  
  
The session token of an authenticated user is accessible through  
JavaScript.  
  
=====[ Affected versions & Solutions ]=====================================  
  
The vulnerability is addressed and the fix is part of the 0.11.4 release.  
  
=====[ Timeline of disclosure ]============================================  
  
12/27/2016 - Reported vulnerability to [email protected].  
01/10/2017 - Ghost team applied patch.  
01/12/2017 - Ghost team answered the email acknowledging the vulnerability.  
01/18/2017 - Advisory publication date.  
  
=====[ Thanks & Acknowledgements ]=========================================  
  
- Tempest Security Intelligence [3]  
- Tempest Hammerhead Team  
  
=====[ References ]========================================================  
  
[1] https://ghost.org/  
[2] https://github.com/TryGhost/Ghost/releases/tag/0.11.3  
[3] http://www.tempest.com.br/  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Jan 2017 00:00Current
7.4High risk
Vulners AI Score7.4
cross-site scriptingghost bloguser data exposuresecurity patchtempest security intelligence
70