Arbitrary File Upload Vulnerability in Ghost v4.39.0 Allows Execution of Code via Crafted SVG File

Arbitrary File Upload Vulnerability in Ghost v4.39.0 Allows Execution of Code via Crafted SVG File

CVE-2022-27139 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

An arbitrary file upload vulnerability in the file upload module of Ghost v4.39.0 allows attackers to execute arbitrary code via a crafted SVG file. NOTE: Vendor states that as outlined in Ghost's security documentation, upload of SVGs is only possible by trusted authenticated users. The uploading of SVG files to Ghost does not represent a remote code execution vulnerability. SVGs are not executable on the server, and may only execute javascript in a client's browser - this is expected and intentional functionality

Learn more about our Cis Benchmark Audit For Server Software.