CVE-2022-47196: 
NixOS vulnerability analysis and mitigation

An insecure default vulnerability (CVE-2022-47196) was discovered in Ghost Foundation Ghost 5.9.4's Post Creation functionality. The vulnerability allows non-administrator users to inject arbitrary Javascript in posts through the codeinjection_head field, potentially leading to privilege escalation to administrator via XSS. This vulnerability can be triggered when an attacker sends an HTTP request to inject Javascript in a post and tricks an administrator into visiting the post (Talos).

The vulnerability is classified as an Insecure Default Variable Initialization (CWE-453) and Cross-site Scripting (CWE-79) issue. It received a CVSS v3.1 base score of 5.4 (MEDIUM) from NVD and 9.0 (CRITICAL) from Talos, with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability specifically exists in the codeinjection_head field for posts, where insufficient input validation allows for JavaScript injection (NVD).

When exploited, this vulnerability allows attackers with basic user privileges to potentially escalate their privileges to administrator level through XSS attacks. In default installations of Ghost CMS, this effectively means that users who can author pages have the same privileges as administrators (Talos).

To mitigate this vulnerability, administrators can separate the admin domain as documented in Ghost's configuration guide. This prevents the vulnerability from being exploited to perform privileged API calls, such as modifying user groups or adding users (Talos).