CVE-2024-23724 is a stored cross-site scripting (XSS) vulnerability affecting Ghost CMS versions through 5.76.0. The vulnerability arises from the ability of contributor-level users to upload SVG images as profile pictures without adequate sanitization. SVG files can embed JavaScript code, which in this case can execute in the context of the Ghost admin interface or user session. The malicious script can interact with the Ghost API running locally on TCP port 3001, enabling the attacker to perform actions beyond their assigned privileges, including taking over any user account. This represents a privilege escalation attack facilitated by stored XSS. The vendor has stated they do not view this as a valid attack vector, possibly due to assumptions about network isolation or user roles, but the vulnerability remains a risk if an attacker can upload crafted SVGs. No CVSS score has been assigned, and no public exploits are known at this time. The attack requires contributor-level access to upload the malicious SVG and user interaction to trigger the payload. The vulnerability impacts the confidentiality and integrity of user accounts and potentially the entire Ghost CMS instance if exploited.

If exploited, this vulnerability allows an attacker with contributor-level access to escalate privileges and take over any user account within the Ghost CMS environment. This can lead to unauthorized content modification, data leakage, and full administrative control of the CMS. Organizations relying on Ghost for content management could face defacement, data integrity issues, and potential exposure of sensitive information. The attack vector requires the attacker to have some level of access (contributor) and the ability to upload SVG files, which may limit exposure but does not eliminate risk. The impact is significant for organizations that allow contributor uploads without strict validation or that do not restrict contributor permissions. Additionally, if the Ghost instance is exposed to a wider user base or integrated with other systems, the compromise could cascade, affecting broader infrastructure and user trust.

To mitigate this vulnerability, organizations should implement strict sanitization of SVG files to remove any embedded JavaScript or potentially malicious content before allowing uploads. Disabling SVG uploads entirely or restricting them to trusted users can reduce risk. Additionally, limiting contributor permissions to prevent profile picture uploads or restricting API access on localhost TCP port 3001 can help contain exploitation. Applying the latest Ghost CMS updates when patches become available is critical. Network segmentation and firewall rules should prevent unauthorized access to the localhost API port. Monitoring for unusual profile picture uploads and anomalous API activity can provide early detection. Educating users about the risks of uploading untrusted SVG files and enforcing strong access controls will further reduce exposure.