cvedb.io
CVE-2022-47197
MEDIUM · CVSS 5.4
EPSS exploitation probability: 0%
Published 2023-01-19T18:15:14.650 · Last modified 2026-06-17T05:13:15.140

Summary

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_foot` for a post.

Affected products

ghost — ghost

Does this affect you?

Add your gear to cvedb and we'll alert you only when ghost ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.