Описание
Ghost Vulnerable to Remote Code Execution via Malicious Themes
Impact
Specifically crafted malicious themes can execute arbitrary code on the server running Ghost.
Vulnerable Versions
This vulnerability is present in Ghost v0.7.2 to v6.19.0.
Patches
v6.19.1 contains a fix for this issue.
Workarounds
Ghost generally recommends users refrain from installing untrusted themes. If a malicious theme has already been installed, it is recommended to uninstall the theme and then inspect it to understand its impact, which will be attack-specific.
References
Ghost thanks Cristian-Alexandru Staicu at Endor Labs for disclosing this vulnerability responsibly.
For more information
If there are any questions or comments about this advisory, email Ghost at security@ghost.org.
Пакеты
ghost
>= 0.7.2, <= 6.19.0
6.19.1
Связанные уязвимости
Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the server running Ghost. This issue has been patched in version 6.19.1.
Ghost is a Node.js content management system. From version 0.7.2 to 6. ...