ghsa-78x2-cwp9-5j42
Vulnerability from github
Published
2024-08-20 20:04
Modified
2024-10-29 20:00
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
VLAI Severity ?
Summary
Ghost's improper authentication allows access to member information and actions
Details
Impact
Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information.
Vulnerable versions
This security vulnerability is present in Ghost v4.46.0-v5.89.5.
Ghost(Pro) customers are automatically updated to fixed versions ahead of disclosure.
If you're a self-hoster, please follow our update instructions.
Patches
v5.89.5 contains a fix for this issue.
Workarounds
Disable site membership in Ghost settings.
For more information
If you have any questions or comments about this advisory:
- Email us at security@ghost.org
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "ghost"
},
"ranges": [
{
"events": [
{
"introduced": "4.46.0"
},
{
"fixed": "5.89.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@tryghost/portal"
},
"ranges": [
{
"events": [
{
"introduced": "1.22.2"
},
{
"fixed": "2.39.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-43409"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-20T20:04:49Z",
"nvd_published_at": "2024-08-20T15:15:24Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nImproper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information.\n\n### Vulnerable versions\n\nThis security vulnerability is present in Ghost v4.46.0-v5.89.5.\n\nGhost(Pro) customers are automatically updated to fixed versions ahead of disclosure.\n\nIf you\u0027re a self-hoster, please follow our [update instructions](https://ghost.org/docs/update).\n\n### Patches\n\nv5.89.5 contains a fix for this issue.\n\n### Workarounds\n\nDisable site membership in Ghost settings.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Email us at [security@ghost.org](mailto:security@ghost.org)\n",
"id": "GHSA-78x2-cwp9-5j42",
"modified": "2024-10-29T20:00:41Z",
"published": "2024-08-20T20:04:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-78x2-cwp9-5j42"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43409"
},
{
"type": "WEB",
"url": "https://github.com/TryGhost/Ghost/commit/dac25612520b571f58679764ecc27109e641d1db"
},
{
"type": "PACKAGE",
"url": "https://github.com/TryGhost/Ghost"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Ghost\u0027s improper authentication allows access to member information and actions"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…