CVE-2024-23725: Ghost before 5.76.0 allows XSS via a post excerpt in excerpt.js. An XSS payload can be rendered in post summaries.
Description
Ghost before 5.76.0 allows XSS via a post excerpt in excerpt.js. An XSS payload can be rendered in post summaries.
Classification
CVE ID: CVE-2024-23725
Affected Products
Vendor: n/a
Product: n/a
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.16% (probability of being exploited)
EPSS Percentile: 38.19% (scored less or equal to compared to others)
EPSS Date: 2025-06-08 (when was this score calculated)
Stakeholder-Specific Vulnerability Categorization (SSVC)
SSVC Exploitation: none
SSVC Technical Impact: partial
SSVC Automatable: false
References
https://nvd.nist.gov/vuln/detail/CVE-2024-23725https://github.com/TryGhost/Ghost/pull/17190
https://github.com/TryGhost/Ghost/releases/tag/v5.76.0