CVE-2024-34448: 
JavaScript vulnerability analysis and mitigation

Ghost CMS before version 5.82.0 contains a CSV Injection vulnerability (CVE-2024-34448) during member CSV export functionality. The vulnerability was discovered and disclosed in May 2024, affecting the core export functionality of the Ghost content management system (GitHub CVE).

The vulnerability allows for CSV injection attacks through member registration fields during CSV export operations. The issue received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (NVD).

The vulnerability can lead to potential code execution in applications that open the exported CSV files. It affects both information disclosure and privilege escalation vectors, as attackers can inject malicious payloads through member registration fields that get executed when the CSV is opened in spreadsheet applications (GitHub CVE).

The vulnerability has been fixed in Ghost version 5.82.0. Users should upgrade to this version or later to mitigate the risk. The fix was implemented through a commit that addresses the CSV injection vulnerability (GitHub CVE).