CVE-2024-23724: 
JavaScript vulnerability analysis and mitigation

Ghost CMS through version 5.76.0 is affected by a stored Cross-Site Scripting (XSS) vulnerability that enables privilege escalation. The vulnerability allows a contributor-level user to take over any account through malicious SVG profile pictures containing JavaScript code that interacts with the API on localhost port 3001 (Rhino CVE Details, MITRE CVE).

The vulnerability exists in the SVG file upload handling mechanism of Ghost CMS, specifically affecting profile picture uploads. An authenticated attacker with contributor privileges can upload a specially crafted SVG file containing malicious JavaScript code. When this profile picture is viewed by the Owner of the tenant, it executes the embedded JavaScript, leading to privilege escalation (Rhino CVE Details).

The successful exploitation of this vulnerability allows an attacker with contributor-level access to escalate their privileges to Owner status, effectively gaining complete control over the Ghost CMS instance. This enables full tenant and account takeover capabilities (Rhino CVE Details).

While the vendor initially did not acknowledge this as a valid attack vector, an unofficial patch has been proposed through a pull request (#19646). The patch implements DOMPurify for SVG file sanitization to prevent XSS attacks during file uploads (Ghost PR).

The vulnerability has been marked as DISPUTED in the CVE database, with the vendor initially not viewing it as a valid attack vector. However, security researchers have emphasized its significance, leading to the development of an unofficial patch to address the security concern (MITRE CVE).