CVE-2024-23724
Published: 11 February 2024
Summary
CVE-2024-23724 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Ghost Ghost. Its CVSS base score is 9.0 (Critical).
Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Ghost through version 5.76.0 is affected by a stored cross-site scripting vulnerability tracked as CVE-2024-23724 and assigned CWE-79. The flaw resides in the handling of user profile pictures supplied in SVG format, which are persisted without sufficient sanitization and can later execute JavaScript when rendered. The CVSS 3.1 base score is 9.0, reflecting network attack vector, low complexity, and the ability to compromise confidentiality, integrity, and availability across security contexts.
An authenticated contributor account is sufficient to exploit the issue. The attacker uploads a crafted SVG containing JavaScript that reaches the Ghost administrative API listening on localhost TCP port 3001; successful execution allows the contributor to perform privileged actions that result in takeover of arbitrary user accounts, including those with administrative rights.
Public references include a detailed report and proof-of-concept from Rhino Security Labs together with Ghost pull request 19646. The vendor has stated that it does not consider the localhost API interaction a valid attack vector. The associated EPSS score rose from a low baseline to a peak of 0.4526, indicating measurable post-disclosure exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0591
Vulnerability details
Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile picture that contains JavaScript code to interact with the API on localhost TCP port 3001. NOTE: The…
more
discoverer reports that "The vendor does not view this as a valid vector."
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.