cbcvebase.
CVE-2023-40028
published 2023-08-15

CVE-2023-40028: Ghost is an open source content management system. Versions prior to 5.59.1 are subject to a vulnerability which allows authenticated users to upload files…

PriorityP260medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
57.56%
99.0th percentile
Ghost is an open source content management system. Versions prior to 5.59.1 are subject to a vulnerability which allows authenticated users to upload files that are symlinks. This can be exploited to perform an arbitrary file read of any file on the host operating system. Site administrators can check for exploitation of this issue by looking for unknown symlinks within Ghost's `content/` folder. Version 5.59.1 contains a fix for this issue. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected

3 ranges
VendorProductVersion rangeFixed in
ghostghost< 5.59.15.59.1
ghostghost>= 0 < 5.59.15.59.1
tryghostghost< 5.59.15.59.1

Detection & IOCsextracted from sources · hover to see the quote

url/ghost/api/v3/admin/session/
url/ghost/api/v3/admin/db
path/content/images/2024/<random_name>.png
pathexploit/content/images/2024/
pathcontent/
  • Look for unknown symlinks within Ghost's content/ directory on the host filesystem — this is the primary forensic indicator of exploitation.
  • Detect POST requests to the Ghost Admin API /db endpoint (import endpoint) with a multipart ZIP upload containing a file named 'exploit.zip' or a ZIP whose internal structure includes a symlink under content/images/.
  • Detect the custom request header 'X-Ghost-Version: 5.58' combined with a POST to the /db import endpoint — the exploit hardcodes this version header regardless of the actual server version.
  • After a ZIP import, monitor for HTTP GET requests to /content/images/2024/<random 13-char alphanumeric>.png that return content inconsistent with image data (e.g., text/plain content-type or ASCII text body), indicating a symlink was followed to a sensitive file.
  • The exploit targets sensitive OS files via symlink; monitor web server access logs for GET requests to Ghost's static content path that resolve to /etc/passwd, /etc/shadow, /proc/version, or similar non-image paths.
  • ·The exploit requires valid authenticated credentials to the Ghost Admin panel before the symlink upload can be triggered — unauthenticated exploitation is not possible.
  • ·The exploit hardcodes the ZIP internal path as content/images/2024/ and accesses the file via /content/images/2024/<name>.png — detection rules scoped only to other year subdirectories may miss variants that alter this path.
  • ·The image filename used for the symlink is randomly generated (13 alphanumeric characters) each run, so static filename-based IOCs will not be reliable; pattern-based detection (13-char alphanum .png in /content/images/2024/) is required.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.