Vulnerabilites related to TryGhost - Ghost
CVE-2023-31133 (GCVE-0-2023-31133)
Vulnerability from cvelistv5
Published
2023-05-08 20:56
Modified
2025-01-29 14:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Ghost is an app for new-media creators with tools to build a website, publish content, send newsletters, and offer paid subscriptions to members. Prior to version 5.46.1, due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute force attack.
Ghost(Pro) has already been patched. Maintainers can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version below v5.46.1. v5.46.1 contains a fix for this issue. As a workaround, add a block for requests to `/ghost/api/content/*` where the `filter` query parameter contains `password` or `email`.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:45:25.764Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9"
},
{
"name": "https://github.com/TryGhost/Ghost/commit/b3caf16005289cc9909488391b4a26f3f4a66a90",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TryGhost/Ghost/commit/b3caf16005289cc9909488391b4a26f3f4a66a90"
},
{
"name": "https://github.com/TryGhost/Ghost/releases/tag/v5.46.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TryGhost/Ghost/releases/tag/v5.46.1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-31133",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T14:53:14.110577Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-29T14:53:24.054Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Ghost",
"vendor": "TryGhost",
"versions": [
{
"status": "affected",
"version": "\u003c 5.46.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ghost is an app for new-media creators with tools to build a website, publish content, send newsletters, and offer paid subscriptions to members. Prior to version 5.46.1, due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute force attack.\n\nGhost(Pro) has already been patched. Maintainers can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version below v5.46.1. v5.46.1 contains a fix for this issue. As a workaround, add a block for requests to `/ghost/api/content/*` where the `filter` query parameter contains `password` or `email`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-08T20:56:39.299Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9"
},
{
"name": "https://github.com/TryGhost/Ghost/commit/b3caf16005289cc9909488391b4a26f3f4a66a90",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TryGhost/Ghost/commit/b3caf16005289cc9909488391b4a26f3f4a66a90"
},
{
"name": "https://github.com/TryGhost/Ghost/releases/tag/v5.46.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TryGhost/Ghost/releases/tag/v5.46.1"
}
],
"source": {
"advisory": "GHSA-r97q-ghch-82j9",
"discovery": "UNKNOWN"
},
"title": "Ghost vulnerable to disclosure of private API fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-31133",
"datePublished": "2023-05-08T20:56:39.299Z",
"dateReserved": "2023-04-24T21:44:10.416Z",
"dateUpdated": "2025-01-29T14:53:24.054Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-39192 (GCVE-0-2021-39192)
Vulnerability from cvelistv5
Published
2021-09-03 14:50
Modified
2024-08-04 01:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Ghost is a Node.js content management system. An error in the implementation of the limits service between versions 4.0.0 and 4.9.4 allows all authenticated users (including contributors) to view admin-level API keys via the integrations API endpoint, leading to a privilege escalation vulnerability. This issue is patched in Ghost version 4.10.0. As a workaround, disable all non-Administrator accounts to prevent API access. It is highly recommended to regenerate all API keys after patching or applying the workaround.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:58:18.191Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-j5c2-hm46-wp5c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TryGhost/Ghost/releases/tag/v4.10.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Ghost",
"vendor": "TryGhost",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ghost is a Node.js content management system. An error in the implementation of the limits service between versions 4.0.0 and 4.9.4 allows all authenticated users (including contributors) to view admin-level API keys via the integrations API endpoint, leading to a privilege escalation vulnerability. This issue is patched in Ghost version 4.10.0. As a workaround, disable all non-Administrator accounts to prevent API access. It is highly recommended to regenerate all API keys after patching or applying the workaround."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-03T14:50:09",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-j5c2-hm46-wp5c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TryGhost/Ghost/releases/tag/v4.10.0"
}
],
"source": {
"advisory": "GHSA-j5c2-hm46-wp5c",
"discovery": "UNKNOWN"
},
"title": "Privilege escalation: all users can access Admin-level API keys",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-39192",
"STATE": "PUBLIC",
"TITLE": "Privilege escalation: all users can access Admin-level API keys"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Ghost",
"version": {
"version_data": [
{
"version_value": "\u003e= 4.0.0, \u003c 4.10.0"
}
]
}
}
]
},
"vendor_name": "TryGhost"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Ghost is a Node.js content management system. An error in the implementation of the limits service between versions 4.0.0 and 4.9.4 allows all authenticated users (including contributors) to view admin-level API keys via the integrations API endpoint, leading to a privilege escalation vulnerability. This issue is patched in Ghost version 4.10.0. As a workaround, disable all non-Administrator accounts to prevent API access. It is highly recommended to regenerate all API keys after patching or applying the workaround."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-j5c2-hm46-wp5c",
"refsource": "CONFIRM",
"url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-j5c2-hm46-wp5c"
},
{
"name": "https://github.com/TryGhost/Ghost/releases/tag/v4.10.0",
"refsource": "MISC",
"url": "https://github.com/TryGhost/Ghost/releases/tag/v4.10.0"
}
]
},
"source": {
"advisory": "GHSA-j5c2-hm46-wp5c",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-39192",
"datePublished": "2021-09-03T14:50:09",
"dateReserved": "2021-08-16T00:00:00",
"dateUpdated": "2024-08-04T01:58:18.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40028 (GCVE-0-2023-40028)
Vulnerability from cvelistv5
Published
2023-08-15 17:25
Modified
2024-10-02 17:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Ghost is an open source content management system. Versions prior to 5.59.1 are subject to a vulnerability which allows authenticated users to upload files that are symlinks. This can be exploited to perform an arbitrary file read of any file on the host operating system. Site administrators can check for exploitation of this issue by looking for unknown symlinks within Ghost's `content/` folder. Version 5.59.1 contains a fix for this issue. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:24:54.629Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-9c9v-w225-v5rg",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-9c9v-w225-v5rg"
},
{
"name": "https://github.com/TryGhost/Ghost/commit/690fbf3f7302ff3f77159c0795928bdd20f41205",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TryGhost/Ghost/commit/690fbf3f7302ff3f77159c0795928bdd20f41205"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40028",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T17:45:27.440128Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T17:45:39.305Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Ghost",
"vendor": "TryGhost",
"versions": [
{
"status": "affected",
"version": "\u003c 5.59.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ghost is an open source content management system. Versions prior to 5.59.1 are subject to a vulnerability which allows authenticated users to upload files that are symlinks. This can be exploited to perform an arbitrary file read of any file on the host operating system. Site administrators can check for exploitation of this issue by looking for unknown symlinks within Ghost\u0027s `content/` folder. Version 5.59.1 contains a fix for this issue. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-15T17:25:16.758Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-9c9v-w225-v5rg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-9c9v-w225-v5rg"
},
{
"name": "https://github.com/TryGhost/Ghost/commit/690fbf3f7302ff3f77159c0795928bdd20f41205",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TryGhost/Ghost/commit/690fbf3f7302ff3f77159c0795928bdd20f41205"
}
],
"source": {
"advisory": "GHSA-9c9v-w225-v5rg",
"discovery": "UNKNOWN"
},
"title": "Arbitrary file read via symlinks in Ghost"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-40028",
"datePublished": "2023-08-15T17:25:16.758Z",
"dateReserved": "2023-08-08T13:46:25.244Z",
"dateUpdated": "2024-10-02T17:45:39.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43409 (GCVE-0-2024-43409)
Vulnerability from cvelistv5
Published
2024-08-20 15:05
Modified
2024-09-03 14:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
Ghost is a Node.js content management system. Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information. This security vulnerability is present in Ghost v4.46.0-v5.89.4. v5.89.5 contains a fix for this issue.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ghost:ghost:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ghost",
"vendor": "ghost",
"versions": [
{
"lessThan": "5.89.5",
"status": "affected",
"version": "4.46.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43409",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T14:32:40.578943Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T14:58:35.797Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Ghost",
"vendor": "TryGhost",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.46.0 \u003c 5.89.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ghost is a Node.js content management system. Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information. This security vulnerability is present in Ghost v4.46.0-v5.89.4. v5.89.5 contains a fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-20T15:05:04.338Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-78x2-cwp9-5j42",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-78x2-cwp9-5j42"
},
{
"name": "https://github.com/TryGhost/Ghost/commit/dac25612520b571f58679764ecc27109e641d1db",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TryGhost/Ghost/commit/dac25612520b571f58679764ecc27109e641d1db"
}
],
"source": {
"advisory": "GHSA-78x2-cwp9-5j42",
"discovery": "UNKNOWN"
},
"title": "Ghost\u0027s improper authentication allows access to member information and actions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-43409",
"datePublished": "2024-08-20T15:05:04.338Z",
"dateReserved": "2024-08-12T18:02:04.966Z",
"dateUpdated": "2024-09-03T14:58:35.797Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29484 (GCVE-0-2021-29484)
Vulnerability from cvelistv5
Published
2021-04-29 20:35
Modified
2024-08-03 22:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - {"":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}
Summary
Ghost is a Node.js CMS. An unused endpoint added during the development of 4.0.0 has left sites vulnerable to untrusted users gaining access to Ghost Admin. Attackers can gain access by getting logged in users to click a link containing malicious code. Users do not need to enter credentials and may not know they've visited a malicious site. Ghost(Pro) has already been patched. We can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version between 4.0.0 and 4.3.2. Immediate action should be taken to secure your site. The issue has been fixed in 4.3.3, all 4.x sites should upgrade as soon as possible. As the endpoint is unused, the patch simply removes it. As a workaround blocking access to /ghost/preview can also mitigate the issue.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:11:05.475Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-9fgx-q25h-jxrg"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://forum.ghost.org/t/critical-security-update-available-for-ghost-4-x/22290"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.npmjs.com/package/ghost"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.sonarsource.com/ghost-admin-takeover"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Ghost",
"vendor": "TryGhost",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ghost is a Node.js CMS. An unused endpoint added during the development of 4.0.0 has left sites vulnerable to untrusted users gaining access to Ghost Admin. Attackers can gain access by getting logged in users to click a link containing malicious code. Users do not need to enter credentials and may not know they\u0027ve visited a malicious site. Ghost(Pro) has already been patched. We can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version between 4.0.0 and 4.3.2. Immediate action should be taken to secure your site. The issue has been fixed in 4.3.3, all 4.x sites should upgrade as soon as possible. As the endpoint is unused, the patch simply removes it. As a workaround blocking access to /ghost/preview can also mitigate the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-06T12:02:24",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-9fgx-q25h-jxrg"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://forum.ghost.org/t/critical-security-update-available-for-ghost-4-x/22290"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.npmjs.com/package/ghost"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.sonarsource.com/ghost-admin-takeover"
}
],
"source": {
"advisory": "GHSA-9fgx-q25h-jxrg",
"discovery": "UNKNOWN"
},
"title": "DOM XSS in Theme Preview",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-29484",
"STATE": "PUBLIC",
"TITLE": "DOM XSS in Theme Preview"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Ghost",
"version": {
"version_data": [
{
"version_value": "\u003e= 4.0.0, \u003c 4.3.3"
}
]
}
}
]
},
"vendor_name": "TryGhost"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Ghost is a Node.js CMS. An unused endpoint added during the development of 4.0.0 has left sites vulnerable to untrusted users gaining access to Ghost Admin. Attackers can gain access by getting logged in users to click a link containing malicious code. Users do not need to enter credentials and may not know they\u0027ve visited a malicious site. Ghost(Pro) has already been patched. We can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version between 4.0.0 and 4.3.2. Immediate action should be taken to secure your site. The issue has been fixed in 4.3.3, all 4.x sites should upgrade as soon as possible. As the endpoint is unused, the patch simply removes it. As a workaround blocking access to /ghost/preview can also mitigate the issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-9fgx-q25h-jxrg",
"refsource": "CONFIRM",
"url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-9fgx-q25h-jxrg"
},
{
"name": "https://forum.ghost.org/t/critical-security-update-available-for-ghost-4-x/22290",
"refsource": "MISC",
"url": "https://forum.ghost.org/t/critical-security-update-available-for-ghost-4-x/22290"
},
{
"name": "https://www.npmjs.com/package/ghost",
"refsource": "MISC",
"url": "https://www.npmjs.com/package/ghost"
},
{
"name": "https://blog.sonarsource.com/ghost-admin-takeover",
"refsource": "CONFIRM",
"url": "https://blog.sonarsource.com/ghost-admin-takeover"
}
]
},
"source": {
"advisory": "GHSA-9fgx-q25h-jxrg",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-29484",
"datePublished": "2021-04-29T20:35:15",
"dateReserved": "2021-03-30T00:00:00",
"dateUpdated": "2024-08-03T22:11:05.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}