CVE-2024-43409
MEDIUM6.5EPSS 0.45%Ghost's improper authentication allows access to member information and actions
描述
### Impact Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information. ### Vulnerable versions This security vulnerability is present in Ghost v4.46.0-v5.89.5. Ghost(Pro) customers are automatically updated to fixed versions ahead of disclosure. If you're a self-hoster, please follow our [update instructions](https://ghost.org/docs/update). ### Patches v5.89.5 contains a fix for this issue. ### Workarounds Disable site membership in Ghost settings. ### For more information If you have any questions or comments about this advisory: * Email us at [[email protected]](mailto:[email protected])
受影響套件(3)
- Bitnami/ghost>= 4.46.0, < 5.89.5
- npm/ghost>= 4.46.0, < 5.89.5
- npm/@tryghost/portal>= 1.22.2, < 2.39.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |