CVE | CVE-2024-23724 |
CVE Title | |
Published Date | 2024-02-11T01:15Z |
Modified Date | 2024-02-11T22:29Z |
Description | Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile picture that contains JavaScript code to interact with the API on localhost TCP port 3001. NOTE: The discoverer reports that "The vendor does not view this as a valid vector." |
References | |
By clicking these links you will leave this website. We do not endorse and will not be held accountable for any activity on external sites. | |
Reference URL | https://rhinosecuritylabs.com/blog/ |
Reference Description | https://rhinosecuritylabs.com/blog/ |
Reference URL | https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2024-23724 |
Reference Description | https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2024-23724 |
Reference URL | https://github.com/TryGhost/Ghost/pull/19646 |
Reference Description | https://github.com/TryGhost/Ghost/pull/19646 |
Sources | NIST MITRE |
Note
- No CVSS data for this CVE