Impact
Specifically crafted malicious themes can execute arbitrary code on the server running Ghost.
Vulnerable Versions
This vulnerability is present in Ghost v0.7.2 to v6.19.0.
Patches
v6.19.1 contains a fix for this issue.
Workarounds
We generally recommend to refrain from installing untrusted themes. If a malicious theme has already been installed we recommend uninstalling the theme and inspecting it to understand its impact, which will be attack-specific.
References
We thank Cristian-Alexandru Staicu, Endor Labs for disclosing this vulnerability responsibly.
For more information
If you have any questions or comments about this advisory, email us at security@ghost.org.
cristianstaicu Reporter
Impact
Specifically crafted malicious themes can execute arbitrary code on the server running Ghost.
Vulnerable Versions
This vulnerability is present in Ghost v0.7.2 to v6.19.0.
Patches
v6.19.1 contains a fix for this issue.
Workarounds
We generally recommend to refrain from installing untrusted themes. If a malicious theme has already been installed we recommend uninstalling the theme and inspecting it to understand its impact, which will be attack-specific.
References
We thank Cristian-Alexandru Staicu, Endor Labs for disclosing this vulnerability responsibly.
For more information
If you have any questions or comments about this advisory, email us at security@ghost.org.