GHSA-78x2-cwp9-5j42
Suggest an improvement- Source
- https://github.com/advisories/GHSA-78x2-cwp9-5j42
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-78x2-cwp9-5j42/GHSA-78x2-cwp9-5j42.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-78x2-cwp9-5j42
- Aliases
- Published
- 2024-08-20T20:04:49Z
- Modified
- 2024-10-29T20:00:41Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Ghost's improper authentication allows access to member information and actions
- Details
-
Impact
Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information.
Vulnerable versions
This security vulnerability is present in Ghost v4.46.0-v5.89.5.
Ghost(Pro) customers are automatically updated to fixed versions ahead of disclosure.
If you're a self-hoster, please follow our update instructions.
Patches
v5.89.5 contains a fix for this issue.
Workarounds
Disable site membership in Ghost settings.
For more information
If you have any questions or comments about this advisory:
- Email us at security@ghost.org
- Database specific
{ "github_reviewed_at": "2024-08-20T20:04:49Z", "github_reviewed": true, "severity": "MODERATE", "nvd_published_at": "2024-08-20T15:15:24Z", "cwe_ids": [ "CWE-284", "CWE-287" ] }- References
Affected packages
npm / ghost
Package
- Name
- ghost
- View open source insights on deps.dev
- Purl
- pkg:npm/ghost
npm / @tryghost/portal
Package
- Name
- @tryghost/portal
- View open source insights on deps.dev
- Purl
- pkg:npm/%40tryghost/portal