Miggo Logo
Miggo Vulnerability Database
CVE-2024-34448

CVE-2024-34448: Ghost allows CSV Injection during member CSV export

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-34448
GHSA ID
GHSA-xgwh-cgv9-783v
EPSS Score
0.33486%
CWE
CWE-74
Published
5/22/2024
Updated
5/22/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
@tryghost/members-csvnpm< 5.82.05.82.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing CSV formula escaping in the CSV export functionality. The patch explicitly adds 'escapeFormulae: true' to papaparse.unparse options in ghost/members-csv/lib/unparse.js, and the tests demonstrate injection scenarios with fields starting with '='. The vulnerable versions lacked this escaping mechanism, making the unparse() function the injection vector. The function's direct involvement in CSV generation and the specific security-focused patch confirm its role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**ost ***or* *.**.* *llows *SV Inj**tion *urin* * m*m**r *SV *xport.

Reasoning

T** vuln*r**ility st*ms *rom missin* *SV *ormul* *s**pin* in t** *SV *xport *un*tion*lity. T** p*t** *xpli*itly ***s '*s**p**ormul**: tru*' to `p*p*p*rs*.unp*rs*` options in `**ost/m*m**rs-*sv/li*/unp*rs*.js`, *n* t** t*sts **monstr*t* inj**tion s**n
CVE-2024-34448: Ghost Member Export CSV Inject | Miggo