CVE-2022-27139

Vulnerability

The vulnerability resides in the file upload module of Ghost v4.39.0, where there is an arbitrary file upload issue. Specifically, the module allows trusted authenticated users to upload SVG files. While not leading to server-side code execution, the uploaded SVG files can contain JavaScript code that executes in the context of a victim's browser when the SVG is accessed. This is considered a client-side code execution (cross-site scripting) vulnerability, as the attacker can achieve arbitrary script execution in the viewer's browser. The affected version is Ghost v4.39.0, as per the CVE description [1].

Exploitation

An attacker must be a trusted authenticated user with upload privileges in the Ghost CMS. The attacker crafts an SVG file containing malicious JavaScript and uploads it via the file upload module. The SVG file, once uploaded, is stored and can be served to other users. When a victim (e.g., another user or site visitor) views the page containing the SVG, the embedded JavaScript executes in their browser. The exploitation does not require any additional user interaction beyond viewing the SVG. The attacker cannot achieve server-side code execution via this upload; the impact is limited to client-side scripting attacks [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session on the Ghost site. This leads to full XSS impact: the attacker can potentially steal session cookies, perform actions on behalf of the victim (such as creating posts, modifying site content, or escalating privileges if the victim is an admin), deface the site, or redirect users to malicious domains. The vulnerability does not allow server-side code execution or file system access; all impact is confined to the client-side of authenticated users who view the SVG [1].

Mitigation

According to the Ghost vendor, this behavior is expected and intentional. Ghost's security documentation states that SVG uploads are restricted to trusted authenticated users and that SVGs are not executable on the server; any JavaScript execution occurs in the browser and is considered a client-side feature rather than a vulnerability. Therefore, there is no patch or planned fix. The vendor considers the security boundary to be the trusted user group; mitigation relies on ensuring that only trusted, non-malicious users have upload privileges. No fixed version has been released, and this is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. Users should enforce strict access controls and may consider disabling SVG uploads via custom configuration if client-side XSS is a concern [1][2].