Ghost CMS Stored XSS Leading to Owner Takeover [CVE-2024-23724]

We discussed this vulnerability during Episode 243 on 19 February 2024

XSS delivered via profile image upload of an SVG containing the XSS. Fairly common situation where SVG support allows XSS because the SVG’s scripts are not sanitized but also one we have basically never talked about on the podcast.

Within the context of Ghost CMS the Ghost team decided that this issue was not worth fixing. Presumably because even the lowest role of Contributor could get XSS through the actual content they produce. Though they cannot publish that content and scripts do not execute within the content panel, as long as the content they write is published they can get an arbitrary script running on the blog.What makes this XSS a little more interesting though is that it is within the profile image functionality, those profile images won’t only be shown on the blog but will be shown within the content panel also, allowing the XSS to land from within the content/admin panel and target an admin. Under common deployments the panel and the blog will be on the same domain so this doesn’t matter very much as XSS on the main domain can still communicate with the REST API in the panel and use that to leak session information and upgrade a user’s role to gain privileges. If the panel is hosted on an external domain though the fact the XSS lands on the panel itself does create a new privilege escalation vector that wouldn’t be present with a blog-only XSS.