cbcvebase.
CVE-2021-29484
published 2021-04-29

CVE-2021-29484: Ghost is a Node.js CMS. An unused endpoint added during the development of 4.0.0 has left sites vulnerable to untrusted users gaining access to Ghost Admin…

PriorityP346medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
7.94%
94.0th percentile
Ghost is a Node.js CMS. An unused endpoint added during the development of 4.0.0 has left sites vulnerable to untrusted users gaining access to Ghost Admin. Attackers can gain access by getting logged in users to click a link containing malicious code. Users do not need to enter credentials and may not know they've visited a malicious site. Ghost(Pro) has already been patched. We can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version between 4.0.0 and 4.3.2. Immediate action should be taken to secure your site. The issue has been fixed in 4.3.3, all 4.x sites should upgrade as soon as possible. As the endpoint is unused, the patch simply removes it. As a workaround blocking access to /ghost/preview can also mitigate the issue.

Affected

3 ranges
VendorProductVersion rangeFixed in
ghostghost>= 4.0.0 < 4.3.34.3.3
ghostghost>= 4.0.0 < 4.3.34.3.3
tryghostghost

Detection & IOCsextracted from sources · hover to see the quote

path/ghost/preview
  • Send a GET request to /ghost/preview and check the response body for the strings 'XMLHttpRequest.prototype.open = XMLHttpRequest.prototype.send' AND 'top.postMessage(' with a 200 HTTP status and Content-Type of text/html to confirm the vulnerable endpoint is exposed.
  • Shodan query 'http.component:"ghost"' can be used to identify internet-exposed Ghost CMS instances for further targeted scanning.
  • Affected versions are Ghost 4.0.0 through 4.3.2 (Node.js). Any instance in this range with /ghost/preview accessible should be treated as vulnerable.
  • ·The vulnerable endpoint /ghost/preview is described as unused — it was added during development of 4.0.0 and never intended for production. The patch simply removes it, meaning the endpoint's mere presence (HTTP 200 + characteristic JS strings) is sufficient to confirm vulnerability without requiring active exploitation.
  • ·Exploitation requires user interaction: a logged-in Ghost Admin user must click an attacker-crafted link. The attack is DOM-based XSS, not reflected or stored, so server-side response scanning alone may not capture all attack variants.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.