CVE-2021-29484
published 2021-04-29CVE-2021-29484: Ghost is a Node.js CMS. An unused endpoint added during the development of 4.0.0 has left sites vulnerable to untrusted users gaining access to Ghost Admin…
PriorityP346medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
7.94%
94.0th percentile
Ghost is a Node.js CMS. An unused endpoint added during the development of 4.0.0 has left sites vulnerable to untrusted users gaining access to Ghost Admin. Attackers can gain access by getting logged in users to click a link containing malicious code. Users do not need to enter credentials and may not know they've visited a malicious site. Ghost(Pro) has already been patched. We can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version between 4.0.0 and 4.3.2. Immediate action should be taken to secure your site. The issue has been fixed in 4.3.3, all 4.x sites should upgrade as soon as possible. As the endpoint is unused, the patch simply removes it. As a workaround blocking access to /ghost/preview can also mitigate the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ghost | ghost | >= 4.0.0 < 4.3.3 | 4.3.3 |
| ghost | ghost | >= 4.0.0 < 4.3.3 | 4.3.3 |
| tryghost | ghost | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Send a GET request to /ghost/preview and check the response body for the strings 'XMLHttpRequest.prototype.open = XMLHttpRequest.prototype.send' AND 'top.postMessage(' with a 200 HTTP status and Content-Type of text/html to confirm the vulnerable endpoint is exposed.
- →Shodan query 'http.component:"ghost"' can be used to identify internet-exposed Ghost CMS instances for further targeted scanning.
- →Affected versions are Ghost 4.0.0 through 4.3.2 (Node.js). Any instance in this range with /ghost/preview accessible should be treated as vulnerable. ↗
- ·The vulnerable endpoint /ghost/preview is described as unused — it was added during development of 4.0.0 and never intended for production. The patch simply removes it, meaning the endpoint's mere presence (HTTP 200 + characteristic JS strings) is sufficient to confirm vulnerability without requiring active exploitation. ↗
- ·Exploitation requires user interaction: a logged-in Ghost Admin user must click an attacker-crafted link. The attack is DOM-based XSS, not reflected or stored, so server-side response scanning alone may not capture all attack variants. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
DOM XSS in Theme Preview
ghsa·2021-04-29
CVE-2021-29484 [MEDIUM] CWE-79 DOM XSS in Theme Preview
DOM XSS in Theme Preview
### Impact
An unused endpoint added during the development of 4.0.0 has left sites vulnerable to untrusted users gaining access to Ghost Admin. Attackers can gain access by getting logged in users to click a link containing malicious code. Users do not need to enter credentials and may not know they've visited a malicious site.
Ghost(Pro) has already been patched. We can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added.
Self-hosters are impacted if running Ghost a version between 4.0.0 and 4.3.2. Immediate action should be taken to secure your site - see patches & workarounds below.
### Patches
Fixed in 4.3.3, all 4.x sites should upgrade as soon as possible.
As the endpoint is unused, the patch simply removes it.
###
OSV
DOM XSS in Theme Preview
osv·2021-04-29
CVE-2021-29484 [MEDIUM] DOM XSS in Theme Preview
DOM XSS in Theme Preview
### Impact
An unused endpoint added during the development of 4.0.0 has left sites vulnerable to untrusted users gaining access to Ghost Admin. Attackers can gain access by getting logged in users to click a link containing malicious code. Users do not need to enter credentials and may not know they've visited a malicious site.
Ghost(Pro) has already been patched. We can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added.
Self-hosters are impacted if running Ghost a version between 4.0.0 and 4.3.2. Immediate action should be taken to secure your site - see patches & workarounds below.
### Patches
Fixed in 4.3.3, all 4.x sites should upgrade as soon as possible.
As the endpoint is unused, the patch simply removes it.
###
No detection rules found.
Nuclei
Ghost CMS <=4.32 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2021-29484 [MEDIUM] Ghost CMS <=4.32 - Cross-Site Scripting
Ghost CMS <=4.32 - Cross-Site Scripting
Ghost CMS 4.0.0 to 4.3.2 contains a DOM cross-site scripting vulnerability. An unused endpoint added during the development of 4.0.0 allows attackers to gain access by getting logged-in users to click a link containing malicious code.
Template:
id: CVE-2021-29484
info:
name: Ghost CMS <=4.32 - Cross-Site Scripting
author: rootxharsh,iamnoooob
severity: medium
description: Ghost CMS 4.0.0 to 4.3.2 contains a DOM cross-site scripting vulnerability. An unused endpoint added during the development of 4.0.0 allows attackers to gain access by getting logged-in users to click a link containing malicious code.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim'
No writeups or analysis indexed.
https://blog.sonarsource.com/ghost-admin-takeoverhttps://forum.ghost.org/t/critical-security-update-available-for-ghost-4-x/22290https://github.com/TryGhost/Ghost/security/advisories/GHSA-9fgx-q25h-jxrghttps://www.npmjs.com/package/ghosthttps://blog.sonarsource.com/ghost-admin-takeoverhttps://forum.ghost.org/t/critical-security-update-available-for-ghost-4-x/22290https://github.com/TryGhost/Ghost/security/advisories/GHSA-9fgx-q25h-jxrghttps://www.npmjs.com/package/ghost
2021-04-29
Published