CVE-2024-23725

Vulnerability

Overview

CVE-2024-23725 describes a stored cross-site scripting vulnerability in Ghost, an open-source publishing platform. The flaw resides in the excerpt.js module, where post excerpts are rendered without proper output encoding. In versions prior to 5.76.0, an attacker who can create or edit posts (an authenticated author or editor) can inject a malicious HTML/JavaScript payload into the excerpt field. When the summary is displayed, the browser executes the attacker's script, leading to XSS [1][3].

Exploitation

Prerequisites

Exploitation requires an authenticated user with the ability to create or edit posts (typically authors or editors). The attacker supplies a crafted excerpt containing JavaScript, such as ``. Upon saving the post, the payload is stored and later rendered unescaped in any view that shows post summaries (e.g., blog index, search results, RSS feeds). No additional user interaction beyond viewing the affected summary is needed for the script to fire [2][3].

Impact

Assessment

A successful XSS attack can lead to session hijacking, account takeover, credential theft, or redirection to malicious sites. Since Ghost is a content management system, an attacker could steal administrative tokens, modify site content, or deploy further attacks against readers. The vulnerability is classified as moderate severity but may have high impact depending on the deployment context [1].

Mitigation

The issue was fixed in Ghost version 5.76.0, released on the same day as the CVE publication. The patch uses the Lodash escape function to sanitize excerpt output, ensuring that HTML entities are safely encoded [3][4]. Users should upgrade immediately; no workaround is available for older versions. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing.