CVE-2024-23724

CRITICAL LAB

Ghost < 5.76.0 - Stored Cross-Site Scripting via SVG Profile Picture

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-23724. PoCs published by gl1tch0x1, Youssefdds.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2024-23724 in Ghost CMS. It performs brute-force authentication followed by SVG payload generation for authenticated users, targeting a specific vulnerability in Ghost CMS.

Description

Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile picture that contains JavaScript code to interact with the API on localhost TCP port 3001. NOTE: The discoverer reports that "The vendor does not view this as a valid vector."

Exploits (2)

nomisec WORKING POC

by gl1tch0x1 · poc

https://github.com/gl1tch0x1/Ghost-CMS-Exploit

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2024-23724 in Ghost CMS. It performs brute-force authentication followed by SVG payload generation for authenticated users, targeting a specific vulnerability in Ghost CMS.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Ghost CMS (version not explicitly specified, but likely 5.x based on X-Ghost-Version header)

Auth required

Prerequisites: Valid Ghost CMS installation · Wordlist files for usernames and passwords · boilerplate.svg file for payload generation

MITRE ATT&CK

T1110 - Brute Force T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC

by Youssefdds · poc

https://github.com/Youssefdds/CVE-2024-23724

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2024-23724, targeting Ghost CMS. The exploit generates a malicious SVG file to achieve tenant takeover by leveraging authentication and role manipulation.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Ghost CMS 5.81.1

Auth required

Prerequisites: Valid credentials for Ghost CMS · Access to Ghost API endpoint

MITRE ATT&CK

T1078 - Valid Accounts T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Vendor Advisory

https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2024-23724

Patch

https://github.com/TryGhost/Ghost/pull/19646

Third Party Advisory

https://rhinosecuritylabs.com/blog/

Scores

CVSS v3 9.0

EPSS 0.3837

EPSS Percentile 97.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Lab Environment

COMMUNITY

Community Lab

docker pull ghost:5.81.1-alpine

https://github.com/Youssefdds/CVE-2024-23724

https://github.com/gl1tch0x1/Ghost-CMS-Exploit

View in Library

Details

CWE

CWE-79

Status published

Products (2)

ghost/ghost < 5.76.0

npm/ghost 0npm

Published Feb 11, 2024

Tracked Since Feb 18, 2026