CVE-2024-23724

CRITICAL LAB

Ghost < 5.76.0 - XSS

Title source: rule

Description

Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile picture that contains JavaScript code to interact with the API on localhost TCP port 3001. NOTE: The discoverer reports that "The vendor does not view this as a valid vector."

Exploits (2)

nomisec WORKING POC

by gl1tch0x1 · poc

https://github.com/gl1tch0x1/Ghost-CMS-Exploit

View Code ZIP pw:eip

nomisec WORKING POC

by Youssefdds · poc

https://github.com/Youssefdds/CVE-2024-23724

View Code ZIP pw:eip

References (3)

[Exploit, Vendor Advisory] https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2024-23724

[Patch] https://github.com/TryGhost/Ghost/pull/19646

[Third Party Advisory] https://rhinosecuritylabs.com/blog/

Scores

CVSS v3 9.0

EPSS 0.3837

EPSS Percentile 97.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull ghost:5.81.1-alpine

https://github.com/Youssefdds/CVE-2024-23724

https://github.com/gl1tch0x1/Ghost-CMS-Exploit

View in Library

Details

CWE

CWE-79

Status published

Products (2)

ghost/ghost < 5.76.0

npm/ghost 0npm

Published Feb 11, 2024

Tracked Since Feb 18, 2026