Cross-site Scripting (XSS) Affecting ghost package, versions [,0.5.9)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Scripting (XSS) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-DOTNET-GHOST-60158
  • published22 Mar 2017
  • disclosed22 Mar 2017
  • creditAbdel Adim Oisif

Introduced: 22 Mar 2017

CVE-2015-1406  (opens in a new tab)
CWE-79  (opens in a new tab)

How to fix?

Upgrade ghost to version 0.5.9 or higher.

Overview

ghost is a blogging platform.

Affected versions of the package are vulnerable to Cross-site Scripting (XSS) attacks. An authenticated user can embed code in the blog's images, like the user avatar, cover image and blog image, with possible malicious intent to execute the code on the client-side. Additionally, another Cross-site Scripting (XSS) has been found in the Tag Manager. An authenticated user can create a new post and tag it with a tag containing javascript code. An administrator may want to delete this tag, triggering the javascript code. This will result in the administrator token is stolen and his session hijacked.

Details

<>

You can read more about Cross-site Scripting (XSS) on our blog.

CVSS Scores

version 3.1