Critical severityNVD Advisory· Published Apr 12, 2022· Updated Aug 3, 2024
CVE-2022-27139
CVE-2022-27139
Description
An arbitrary file upload vulnerability in the file upload module of Ghost v4.39.0 allows attackers to execute arbitrary code via a crafted SVG file. NOTE: Vendor states that as outlined in Ghost's security documentation, upload of SVGs is only possible by trusted authenticated users. The uploading of SVG files to Ghost does not represent a remote code execution vulnerability. SVGs are not executable on the server, and may only execute javascript in a client's browser - this is expected and intentional functionality
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ghostnpm | <= 4.39.0 | — |
Affected products
3- osv-coords2 versions
>= 4.39.0, < 4.39.1+ 1 more
- (no CPE)range: >= 4.39.0, < 4.39.1
- (no CPE)range: <= 4.39.0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-fvc6-qjp7-m4g4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-27139ghsaADVISORY
- ghost.org/docs/security/ghsax_refsource_MISCWEB
- youtu.be/FCqWEvir2wEghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.