CVE-2022-47195 in Ghost
Summary
by MITRE • 01/19/2023
An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `facebook` field for a user.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 11/05/2025
The vulnerability identified as CVE-2022-47195 represents a critical insecure default configuration within the Ghost content management system version 5.9.4, specifically affecting the post creation functionality. This issue stems from the application's failure to properly sanitize user inputs in the facebook field of user profiles, creating a persistent cross-site scripting vulnerability that can be exploited to escalate privileges from standard user to administrator level. The flaw manifests when non-administrator users can inject malicious javascript code through the facebook profile field, which then gets stored and executed in the context of administrator sessions. This represents a classic stored cross-site scripting vulnerability that violates the fundamental security principle of input sanitization and proper access control enforcement.
The technical exploitation of this vulnerability follows a well-defined attack pattern that aligns with the ATT&CK framework's privilege escalation techniques. An attacker with a standard user account can craft malicious javascript code and inject it into the facebook field of their user profile, which gets stored in the database. When an administrator visits the profile page containing this malicious code, the javascript executes in the administrator's browser context, potentially allowing the attacker to steal session cookies, execute commands on behalf of the administrator, or perform other malicious activities. The vulnerability specifically targets the facebook field in user profiles, which is part of the user metadata collection process, making it a persistent threat that can affect any administrator who views the compromised profile. This represents a CWE-79 (Cross-site Scripting) vulnerability with additional privilege escalation implications that aligns with CWE-284 (Improper Access Control) and CWE-352 (Cross-Site Request Forgery) concepts.
The operational impact of this vulnerability extends beyond simple XSS exploitation, as it creates a persistent backdoor mechanism for attackers to gain administrative access to Ghost installations. Organizations running default Ghost installations are particularly vulnerable since the system does not enforce proper input validation on user profile fields, allowing malicious users to inject code that persists across sessions. The attack vector is relatively straightforward, requiring only an HTTP request to inject the malicious javascript code, making it accessible to attackers with basic web application exploitation skills. The vulnerability affects the core user management functionality of Ghost, potentially compromising all administrator accounts that view affected profiles. This threat is particularly concerning in multi-user environments where administrators frequently browse user profiles, as it creates a continuous attack surface that can be exploited over time.
Mitigation strategies for CVE-2022-47195 should focus on immediate input sanitization and access control enforcement. Organizations must implement proper HTML escaping and sanitization for all user profile fields, particularly those that may contain web addresses or social media links. The recommended approach includes validating and filtering all user inputs to prevent javascript execution in profile fields, implementing proper content security policies, and ensuring that user profile data is properly escaped when rendered in web pages. Additionally, administrators should be advised to avoid viewing user profiles from untrusted sources and to implement monitoring for unusual activity patterns. The fix should also include enhanced access controls to prevent non-administrative users from injecting content that could be executed in administrator contexts, aligning with principle of least privilege enforcement. Regular security audits of user input handling mechanisms and implementation of automated vulnerability scanning tools can help detect similar issues in other parts of the application. Organizations should also consider implementing web application firewalls and monitoring solutions to detect and block suspicious javascript injection attempts.