What is CVE-2023-32235?

CVE-2023-32235 is a vulnerability in N/a. Published 2023-05-05.

Is CVE-2023-32235 known to be exploited?

5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in N/a

CVE-2023-32235

Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2F..%2F..%2F/ directory traversal. This occurs in frontend/web/middleware/static-theme.js.

EPSS: 0.941 (99.9th percentile) — read the EPSS interpretation.

Affected products

N/a — versions n/a

Public proof-of-concept exploits

AXRoux/Ghost-Path-Traversal-CVE-2023-32235-
137f/Ghost-CMS-5.42.1---Path-Traversal
VEEXH/Ghost-Path-Traversal-CVE-2023-32235-
ibrahmsql/Ghostscan
nomi-sec/PoC-in-GitHub

References

github.com/TryGhost/Ghost/commit/378dd913aa8d0fd0da29b0ffced8884579598b0f
github.com/TryGhost/Ghost/compare/v5.42.0...v5.42.1

Frequently asked questions

What is CVE-2023-32235?: CVE-2023-32235 is a vulnerability in N/a. Published 2023-05-05.
Is CVE-2023-32235 known to be exploited?: 5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.