CVE-2024-23724 Overview
CVE-2024-23724 affects Ghost publishing platform versions through 5.76.0. The flaw allows stored cross-site scripting (XSS) through Scalable Vector Graphics (SVG) profile picture uploads. A contributor-level account can upload an SVG containing JavaScript that executes in the context of any user viewing the profile image. The embedded script interacts with the Ghost API on localhost TCP port 3001, enabling account takeover and privilege escalation. The vendor stated they do not view this as a valid attack vector, and the issue is tracked in the Rhino Security Labs CVE repository and a Ghost pull request.
Critical Impact
A low-privileged contributor can escalate to administrator by uploading a malicious SVG that hijacks higher-privileged sessions via the local Ghost API.
Affected Products
- Ghost (Node.js) versions through 5.76.0
- Self-hosted Ghost deployments exposing the admin interface
- Multi-author Ghost instances that grant contributor accounts upload capability
Discovery Timeline
- 2024-02-11 - CVE-2024-23724 published to the National Vulnerability Database (NVD)
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-23724
Vulnerability Analysis
The vulnerability is a stored Cross-Site Scripting (XSS) issue [CWE-79] in Ghost's profile picture upload functionality. Ghost accepts SVG files as profile images without sanitizing embedded scripts. SVG is an XML-based image format that can contain <script> elements and event handlers. When another user, including an administrator, loads a page rendering the malicious SVG, the embedded JavaScript executes within their browser session.
The attacker chains the XSS with the Ghost Admin API, which listens on 127.0.0.1:3001 in default development and many production configurations. The injected JavaScript issues authenticated requests against this API using the victim's session, performing actions such as password reset, role assignment, or new owner creation.
A contributor is the lowest-privileged authenticated role in Ghost. Successful exploitation pivots that minimal access into full ownership of the Ghost instance.
Root Cause
The upload handler permits the image/svg+xml content type for profile pictures and stores the file without stripping active content. Ghost then serves the SVG inline rather than forcing a download or rendering it as a rasterized image, allowing the browser to execute the script element.
Attack Vector
An authenticated contributor crafts an SVG that embeds JavaScript performing fetch requests against http://localhost:3001/ghost/api/admin/. The contributor sets this SVG as their profile picture. When an editor or administrator views any page displaying the contributor's avatar, the script runs with the victim's cookies and CSRF token, then issues API calls to create a new owner account or change credentials.
Technical details and proof-of-concept material are published in the Rhino Security Labs CVE-2024-23724 repository. The patch is tracked in Ghost pull request #19646.
Detection Methods for CVE-2024-23724
Indicators of Compromise
- Profile picture files with .svg extension or image/svg+xml MIME type in the Ghost content/images/ directory
- SVG files containing <script>, onload, onerror, or xlink:href="javascript:" attributes
- Unexpected new staff accounts with owner or administrator roles in the Ghost users table
- Outbound or loopback HTTP requests to 127.0.0.1:3001/ghost/api/admin/ originating from admin browser sessions
Detection Strategies
- Scan stored profile images for SVG content and inspect for embedded scripting constructs
- Audit the Ghost users and roles_users tables for role changes performed by contributor accounts
- Review Ghost access logs for admin API calls correlated with rendering of a contributor profile page
- Alert on creation of staff accounts immediately following a contributor's profile picture update
Monitoring Recommendations
- Forward Ghost application logs and reverse proxy access logs to a centralized logging platform
- Monitor for HTTP requests to administrative API endpoints that originate from referrers containing contributor profile URLs
- Track file uploads by MIME type and flag any SVG uploads to the avatar endpoint
How to Mitigate CVE-2024-23724
Immediate Actions Required
- Upgrade Ghost to a version that includes the fix from pull request #19646
- Audit existing profile pictures and remove any SVG files until patched
- Review staff accounts and revoke unexpected administrator or owner roles
- Restrict contributor signups and require manual approval for new authors
Patch Information
The fix is delivered in Ghost pull request #19646, which addresses SVG handling on profile picture uploads. Administrators running Ghost 5.76.0 or earlier should upgrade to a release containing this commit. Self-hosted operators using ghost-cli can apply the update with ghost update.
Workarounds
- Configure the upload handler or reverse proxy to reject image/svg+xml content types on the profile picture endpoint
- Serve user-uploaded images with Content-Disposition: attachment to prevent inline script execution
- Apply a strict Content Security Policy (CSP) on Ghost admin pages that disallows inline script execution from uploaded content
- Bind the Ghost Admin API to a non-loopback interface protected by authentication-aware network controls
# Nginx configuration example to block SVG profile uploads
location ~* /ghost/api/.*/images/upload {
if ($request_method = POST) {
if ($http_content_type ~* "image/svg\+xml") {
return 415;
}
}
proxy_pass http://127.0.0.1:2368;
}
# Force attachment disposition on served SVG assets
location ~* \.svg$ {
add_header Content-Disposition "attachment";
add_header Content-Security-Policy "default-src 'none'; script-src 'none'";
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
