Описание
Ghost's improper authentication allows access to member information and actions
Impact
Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information.
Vulnerable versions
This security vulnerability is present in Ghost v4.46.0-v5.89.5.
Ghost(Pro) customers are automatically updated to fixed versions ahead of disclosure.
If you're a self-hoster, please follow our update instructions.
Patches
v5.89.5 contains a fix for this issue.
Workarounds
Disable site membership in Ghost settings.
For more information
If you have any questions or comments about this advisory:
- Email us at security@ghost.org
Пакеты
ghost
>= 4.46.0, < 5.89.5
5.89.5
@tryghost/portal
>= 1.22.2, < 2.39.0
2.39.0
EPSS
6.9 Medium
CVSS4
6.5 Medium
CVSS3
CVE ID
Дефекты
Связанные уязвимости
Ghost is a Node.js content management system. Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information. This security vulnerability is present in Ghost v4.46.0-v5.89.4. v5.89.5 contains a fix for this issue.
Ghost is a Node.js content management system. Improper authentication ...
EPSS
6.9 Medium
CVSS4
6.5 Medium
CVSS3