Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

Ghost Foundation

Source -

CNA

BOS Name -

N/A

CNA CVEs -

8

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated ProductsRelated AssignersReports
8Vulnerabilities found
CVE-2024-34559
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.54% / 66.54%
||
7 Day CHG~0.00%
Published-09 May, 2024 | 12:03
Updated-02 Aug, 2024 | 02:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Ghost plugin <= 1.4.0 - Sensitive Data Exposure via Log File vulnerability

Insertion of Sensitive Information into Log File vulnerability in Ghost Foundation Ghost.This issue affects Ghost: from n/a through 1.4.0.

Action-Not Available
Vendor-Ghost Foundationghost
Product-Ghostghost
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2022-43441
Assigner-Talos
ShareView Details
Assigner-Talos
CVSS Score-8.1||HIGH
EPSS-6.16% / 90.45%
||
7 Day CHG~0.00%
Published-16 Mar, 2023 | 20:14
Updated-03 Aug, 2024 | 13:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution. An attacker can provide malicious input to trigger this vulnerability.

Action-Not Available
Vendor-ghostGhost Foundation
Product-sqlite3node-sqlite3
CWE ID-CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
CWE ID-CWE-913
Improper Control of Dynamically-Managed Code Resources
CVE-2022-47197
Assigner-Talos
ShareView Details
Assigner-Talos
CVSS Score-9||CRITICAL
EPSS-1.10% / 77.12%
||
7 Day CHG~0.00%
Published-19 Jan, 2023 | 17:02
Updated-03 Apr, 2025 | 17:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_foot` for a post.

Action-Not Available
Vendor-ghostGhost Foundation
Product-ghostGhost
CWE ID-CWE-453
Insecure Default Variable Initialization
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-47196
Assigner-Talos
ShareView Details
Assigner-Talos
CVSS Score-9||CRITICAL
EPSS-0.13% / 33.55%
||
7 Day CHG~0.00%
Published-19 Jan, 2023 | 17:02
Updated-03 Apr, 2025 | 12:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_head` for a post.

Action-Not Available
Vendor-ghostGhost Foundation
Product-ghostGhost
CWE ID-CWE-453
Insecure Default Variable Initialization
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-1188
Initialization of a Resource with an Insecure Default
CVE-2022-47195
Assigner-Talos
ShareView Details
Assigner-Talos
CVSS Score-9||CRITICAL
EPSS-0.13% / 33.55%
||
7 Day CHG~0.00%
Published-19 Jan, 2023 | 17:02
Updated-03 Apr, 2025 | 12:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `facebook` field for a user.

Action-Not Available
Vendor-ghostGhost Foundation
Product-ghostGhost
CWE ID-CWE-453
Insecure Default Variable Initialization
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-47194
Assigner-Talos
ShareView Details
Assigner-Talos
CVSS Score-9||CRITICAL
EPSS-0.21% / 43.87%
||
7 Day CHG~0.00%
Published-19 Jan, 2023 | 17:02
Updated-03 Apr, 2025 | 13:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `twitter` field for a user.

Action-Not Available
Vendor-ghostGhost Foundation
Product-ghostGhost
CWE ID-CWE-453
Insecure Default Variable Initialization
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-1188
Initialization of a Resource with an Insecure Default
CVE-2022-41654
Assigner-Talos
ShareView Details
Assigner-Talos
CVSS Score-9.6||CRITICAL
EPSS-0.25% / 48.02%
||
7 Day CHG~0.00%
Published-23 Dec, 2022 | 23:03
Updated-14 Apr, 2025 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An authentication bypass vulnerability exists in the newsletter subscription functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to increased privileges. An attacker can send an HTTP request to trigger this vulnerability.

Action-Not Available
Vendor-ghostGhost Foundation
Product-ghostGhost
CWE ID-CWE-284
Improper Access Control
CVE-2022-41697
Assigner-Talos
ShareView Details
Assigner-Talos
CVSS Score-5.3||MEDIUM
EPSS-38.04% / 97.11%
||
7 Day CHG~0.00%
Published-23 Dec, 2022 | 23:03
Updated-14 Apr, 2025 | 18:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A user enumeration vulnerability exists in the login functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to a disclosure of sensitive information. An attacker can send a series of HTTP requests to trigger this vulnerability.

Action-Not Available
Vendor-ghostGhost Foundation
Product-ghostGhost
CWE ID-CWE-204
Observable Response Discrepancy