Headline
GHSA-78x2-cwp9-5j42: Ghost's improper authentication allows access to member information and actions
Impact
Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information.
Vulnerable versions
This security vulnerability is present in Ghost v4.46.0-v5.89.5.
Patches
v5.89.5 contains a fix for this issue.
Workarounds
None.
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
Package
npm @tryghost/portal (npm)
Affected versions
>= 1.22.2, < 2.39.0
Patched versions
2.39.0
npm ghost (npm)
>= 4.46.0, < 5.89.5
5.89.5
Description
Impact
Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information.
Vulnerable versions
This security vulnerability is present in Ghost v4.46.0-v5.89.5.
Patches
v5.89.5 contains a fix for this issue.
Workarounds
None.
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
References
- GHSA-78x2-cwp9-5j42
- https://nvd.nist.gov/vuln/detail/CVE-2024-43409
- TryGhost/Ghost@dac2561
daniellockyer published to TryGhost/Ghost
Aug 20, 2024
Published by the National Vulnerability Database
Aug 20, 2024
Published to the GitHub Advisory Database
Aug 20, 2024
Reviewed
Aug 20, 2024
Last updated
Aug 20, 2024