Site icon API Security Blog

Remote code execution in locale setting change

### Impact

A [vulnerability](https://www.cve.org/CVERecord?id=CVE-2022-24785) in an upstream library means an authenticated attacker can abuse locale input to execute arbitrary commands from a file that has previously been uploaded using the file upload functionality in the post editor.

### Patches

Fixed in 5.2.3, all 5.x sites should update as soon as possible.
Fixed in 4.48.2, all 4.x sites should update as soon as possible.

### Workarounds

Patched versions of Ghost add validation to the locale input to prevent execution of arbitrary files. Updating Ghost is the quickest complete solution.

As a workaround, if for any reason you cannot update your Ghost instance, you can block the `POST /ghost/api/admin/settings/` endpoint, which will also disable updating settings for your site.

### For more information

If you have any questions or comments about this advisory:
* Email us at [security@ghost.org](mailto:security@ghost.org)

### Credits

* devx00 – https://twitter.com/devx00Read More

Exit mobile version