CVE-2022-47195: 
NixOS vulnerability analysis and mitigation

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. The vulnerability specifically exists in the facebook field for a user, where a stored XSS vulnerability can be triggered when a higher-level user previews or visits any post by the malicious user (Talos Intelligence).

The vulnerability is tracked as CVE-2022-47195 and has been assigned a CVSS v3.1 base score of 5.4 (MEDIUM) by NIST and 9.0 (CRITICAL) by Talos with vector string CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H. The issue is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-453 (Insecure Default Variable Initialization). The vulnerability can be exploited by sending a specially crafted HTTP request to inject Javascript in a post's facebook field (NVD, Talos Intelligence).

The vulnerability allows attackers to perform privilege escalation via XSS, potentially gaining administrator access. In default installations of Ghost CMS, this effectively means that users who can author pages have the same privileges as administrators. The vulnerability can be triggered when a higher-level user simply previews or visits any post by the malicious user, as these social links are included in all of a user's posts (Talos Intelligence).

To prevent this type of vulnerability from being exploited, administrators can separate the admin domain as documented at ghost.org/docs/config/#admin-url. This will prevent the vulnerability from being used to perform privileged API calls, such as modifying user groups or adding users (Talos Intelligence).

The vendor initially did not consider the issue a security problem when it was reported on October 26, 2022, and maintained this position through multiple communications until January 12, 2023 (Talos Intelligence).