CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 3CVE-2022-47197
https://notcve.org/view.php?id=CVE-2022-47197
An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_foot` for a post. Existe una vulnerabilidad predeterminada insegura en la funcionalidad de creación posterior de Ghost Foundation Ghost 5.9.4. Las instalaciones predeterminadas de Ghost permiten a los usuarios que no son administradores inyectar Javascript arbitrario en las publicaciones, lo que permite escalar privilegios al administrador a través de XSS. • https://github.com/miguelc49/CVE-2022-47197-2 https://github.com/miguelc49/CVE-2022-47197-1 https://talosintelligence.com/vulnerability_reports/TALOS-2022-1686 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-453: Insecure Default Variable Initialization •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-47196
https://notcve.org/view.php?id=CVE-2022-47196
An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_head` for a post. • https://talosintelligence.com/vulnerability_reports/TALOS-2022-1686 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-453: Insecure Default Variable Initialization CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-47195
https://notcve.org/view.php?id=CVE-2022-47195
An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `facebook` field for a user. Existe una vulnerabilidad predeterminada insegura en la funcionalidad de creación posterior de Ghost Foundation Ghost 5.9.4. Las instalaciones predeterminadas de Ghost permiten a los usuarios que no son administradores inyectar Javascript arbitrario en las publicaciones, lo que permite escalar privilegios al administrador a través de XSS. • https://talosintelligence.com/vulnerability_reports/TALOS-2022-1686 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-453: Insecure Default Variable Initialization •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-47194
https://notcve.org/view.php?id=CVE-2022-47194
An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `twitter` field for a user. • https://talosintelligence.com/vulnerability_reports/TALOS-2022-1686 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-453: Insecure Default Variable Initialization CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-41697
https://notcve.org/view.php?id=CVE-2022-41697
A user enumeration vulnerability exists in the login functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to a disclosure of sensitive information. An attacker can send a series of HTTP requests to trigger this vulnerability. • https://talosintelligence.com/vulnerability_reports/TALOS-2022-1625 • CWE-204: Observable Response Discrepancy •