Ghost CMS Theme Preview XSS (CVE-2021-29484)
Description
Ghost CMS versions prior to 4.0.0 contain a DOM-based Cross-Site Scripting (XSS) vulnerability in a theme preview endpoint. This endpoint was used during the development phase of version 4.0.0 and processes user-controlled input without proper sanitization, allowing malicious JavaScript to be executed in the context of a user's browser session.
Remediation
Immediately upgrade Ghost CMS to version 4.0.0 or later, which addresses this vulnerability. To perform the upgrade:
1. Backup your Ghost installation and database before proceeding
2. Review the Ghost upgrade documentation at https://ghost.org/docs/update/
3. For installations using Ghost-CLI, run the following commands:
ghost stop ghost update ghost start4. For manual installations, download the latest version from the official Ghost repository and follow the manual update process
5. After upgrading, verify the installation is running version 4.0.0 or higher by checking the Ghost admin panel or running:
ghost version6. If immediate patching is not possible, restrict access to the theme preview endpoint at the web server level until the upgrade can be completed