AI description
CVE-2023-40028 is a vulnerability affecting Ghost, an open-source content management system. Versions prior to 5.59.1 are vulnerable. It allows authenticated users to upload files that are symbolic links (symlinks). This vulnerability can be exploited to perform arbitrary file reads on the host operating system. By uploading a malicious ZIP file containing a symlink, an attacker can gain unauthorized access to sensitive files on the system. To mitigate this, users are advised to upgrade to version 5.59.1 or later. Administrators can also check for exploitation by looking for unknown symlinks within Ghost's `content/` folder.
- Description
- Ghost is an open source content management system. Versions prior to 5.59.1 are subject to a vulnerability which allows authenticated users to upload files that are symlinks. This can be exploited to perform an arbitrary file read of any file on the host operating system. Site administrators can check for exploitation of this issue by looking for unknown symlinks within Ghost's `content/` folder. Version 5.59.1 contains a fix for this issue. All users are advised to upgrade. There are no known workarounds for this vulnerability.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
CVSS 3.1
- Type
- Primary
- Base score
- 6.5
- Impact score
- 3.6
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Severity
- MEDIUM
- Hype score
- Not currently trending
LinkVortex from @hackthebox_eu is a nice easy-level machine with Ghost exploitation and bash script abuse. I enjoyed generating the CVE-2023-40028 exploit from the git diff, manually and then with Python. And I loved exploiting the root step three ways! https://t.co/DJtocLqQIc
@0xdf_
12 Apr 2025
1889 Impressions
7 Retweets
60 Likes
8 Bookmarks
0 Replies
0 Quotes
LinkVortex is an easy machine from @hackthebox_eu:Subdomain enumeration=>Hidden subdomain=>Dump exposed .git directory=>Exfiltrate creds=>CVE-2023-40028=>Symlink file upload=>Arbitrary file read=>Get new creds=>Abuse a custom script that symlinks png files
@_kujen5
12 Apr 2025
48 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "FC21CBC6-473C-4BF5-8F11-317A9FE0F1FB",
"versionEndExcluding": "5.59.1"
}
],
"operator": "OR"
}
]
}
]