Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-78x2-cwp9-5j42: Ghost's improper authentication allows access to member information and actions

Impact

Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information.

Vulnerable versions

This security vulnerability is present in Ghost v4.46.0-v5.89.5.

Patches

v5.89.5 contains a fix for this issue.

Workarounds

None.

For more information

If you have any questions or comments about this advisory:

ghsa
#vulnerability#nodejs#git#auth

Package

npm @tryghost/portal (npm)

Affected versions

>= 1.22.2, < 2.39.0

Patched versions

2.39.0

npm ghost (npm)

>= 4.46.0, < 5.89.5

5.89.5

Description

Impact

Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information.

Vulnerable versions

This security vulnerability is present in Ghost v4.46.0-v5.89.5.

Patches

v5.89.5 contains a fix for this issue.

Workarounds

None.

For more information

If you have any questions or comments about this advisory:

References

  • GHSA-78x2-cwp9-5j42
  • https://nvd.nist.gov/vuln/detail/CVE-2024-43409
  • TryGhost/Ghost@dac2561

daniellockyer published to TryGhost/Ghost

Aug 20, 2024

Published by the National Vulnerability Database

Aug 20, 2024

Published to the GitHub Advisory Database

Aug 20, 2024

Reviewed

Aug 20, 2024

Last updated

Aug 20, 2024

ghsa: Latest News

GHSA-cwgg-57xj-g77r: changedetection.io Path Traversal