CVE-2021-29484

DOM XSS in Theme Preview

Severity Score

6.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Ghost is a Node.js CMS. An unused endpoint added during the development of 4.0.0 has left sites vulnerable to untrusted users gaining access to Ghost Admin. Attackers can gain access by getting logged in users to click a link containing malicious code. Users do not need to enter credentials and may not know they've visited a malicious site. Ghost(Pro) has already been patched. We can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version between 4.0.0 and 4.3.2. Immediate action should be taken to secure your site. The issue has been fixed in 4.3.3, all 4.x sites should upgrade as soon as possible. As the endpoint is unused, the patch simply removes it. As a workaround blocking access to /ghost/preview can also mitigate the issue.

Ghost es un CMS Node.js. Un endpoint sin uso agregado durante el desarrollo de la versión 4.0.0 ha dejado los sitios vulnerables a que usuarios no confiables que obtienen acceso a Ghost Admin. Los atacantes pueden conseguir acceso al hacer que unos usuarios que tengan iniciada la sesión hagan clic en un enlace que contenga código malicioso. Los usuarios no necesitan introducir sus credenciales y es posible que no sepan que han visitado un sitio malicioso. Ghost(Pro) ya ha sido parcheado. No hemos encontrado pruebas de que el problema se haya explotado en Ghost(Pro) antes de que se agregara el parche. Los autohospedadores están afectados si ejecutan Ghost en una versión entre 4.0.0 y 4.3.2. Se deben tomar medidas inmediatas para proteger su sitio. El problema ha sido corregido en 4.3.3, todos los sitios 4.x deberían actualizarse lo antes posible. Como el endpoint sin uso, el parche simplemente lo elimina. Como solución alternativa, bloquear el acceso a /ghost/preview también puede mitigar el problema.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-03-30 CVE Reserved
2021-04-29 CVE Published
2024-08-03 CVE Updated
2024-08-03 First Exploit
2024-10-02 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (4)

URL	Tag	Source
https://github.com/TryGhost/Ghost/security/advisories/GHSA-9fgx-q25h-jxrg	Mitigation
https://www.npmjs.com/package/ghost	Product

URL	Date	SRC
https://blog.sonarsource.com/ghost-admin-takeover	2024-08-03

URL	Date	SRC

URL	Date	SRC
https://forum.ghost.org/t/critical-security-update-available-for-ghost-4-x/22290	2021-09-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Ghost Search vendor "Ghost"		Ghost Search vendor "Ghost" for product "Ghost"				>= 4.0.0 < 4.3.3 Search vendor "Ghost" for product "Ghost" and version " >= 4.0.0 < 4.3.3"		node.js		Affected