CVE-2022-47197: 
NixOS vulnerability analysis and mitigation

Ghost Foundation Ghost 5.9.4 contains an insecure default vulnerability (CVE-2022-47197) in its Post Creation functionality. The vulnerability was discovered in December 2022 and publicly disclosed on January 19, 2023. The issue affects default installations of Ghost CMS, specifically version 5.9.4, allowing non-administrator users to inject arbitrary JavaScript in posts, which can lead to privilege escalation to administrator via XSS (Talos Report).

The vulnerability exists in the codeinjection_foot field for posts. When exploited, an attacker can send an HTTP request to inject JavaScript in a post to trick an administrator into visiting the post. The vulnerability has been assigned a CVSS v3.0 score of 9.0 (CRITICAL) with the vector string CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H. The issue is classified under CWE-453 (Insecure Default Variable Initialization) (Talos Report, NVD).

The vulnerability allows non-administrator users to effectively gain administrator privileges through XSS attacks. In default installations of Ghost CMS, this means that users who can author pages essentially have the same privileges as administrator users. The attack can be triggered when a higher-level user previews or visits any post by the malicious user (Talos Report).

The primary mitigation is to separate the admin domain as documented at ghost.org/docs/config/#admin-url. This separation will prevent the vulnerability from being exploited to perform privileged API calls, such as modifying user groups or adding users. However, this is not enabled in default installations (Talos Report).

Notably, there was some disagreement between the security researchers and the vendor regarding the severity of this issue. According to the timeline, the vendor initially did not consider the issue a security problem when contacted in October 2022, and maintained this position through January 2023, even after receiving a revised advisory (Talos Report).