Ghost vulnerable to disclosure of private API fields
Description
Ghost is an app for new-media creators with tools to build a website, publish content, send newsletters, and offer paid subscriptions to members. Prior to version 5.46.1, due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute force attack.
Ghost(Pro) has already been patched. Maintainers can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version below v5.46.1. v5.46.1 contains a fix for this issue. As a workaround, add a block for requests to /ghost/api/content/* where the filter query parameter contains password or email.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ghostnpm | < 5.46.1 | 5.46.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-r97q-ghch-82j9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-31133ghsaADVISORY
- github.com/TryGhost/Ghost/commit/b3caf16005289cc9909488391b4a26f3f4a66a90ghsax_refsource_MISCWEB
- github.com/TryGhost/Ghost/releases/tag/v5.46.1ghsax_refsource_MISCWEB
- github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.