Impact
Ghost is a Node.js content management system that exposes an Admin API file upload endpoint. From 6.19.4 through 6.21.0 the system does not verify the client‑supplied Content‑Type header. An attacker can upload a file with a chosen MIME type and have it served with that type when the storage backend is S3 or GCS. If the site serves uploaded files from the same origin, the attacker can inject malicious scripts that are stored and later executed for any user or staff who visits the site, leading to a stored cross‑site scripting vulnerability consistent with CWE‑434. The issue is fixed in Ghost 6.21.1.
Affected Systems
The issue affects TryGhost Ghost versions 6.19.4, 6.20.x, and 6.21.0. These releases are vulnerable when uploads are served from the same domain as the site. Versions prior to 6.19.4 or 6.21.1 and newer are not impacted.
Risk and Exploitability
The CVSS score is 5.4, indicating moderate severity, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires access to the Admin API file upload endpoint, typically meaning elevated user privileges. Once an attacker has such access, he can upload files with a malicious content type that will be served to site visitors, enabling stored XSS. No EPSS score is available, so the likelihood of exploitation is uncertain, but the moderate CVSS and authorized‑user requirement suggest a medium risk in environments that expose the Admin API to potential attackers.
OpenCVE Enrichment