Homepage

ghost@5.104.0 vulnerabilities

The professional publishing platform

  • latest version

    5.105.0

  • first published

    13 years ago

  • latest version published

    8 days ago

  • licenses detected

  • View ghost package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the ghost package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Access Restriction Bypass

    ghost is a publishing platform

    Affected versions of this package are vulnerable to Access Restriction Bypass that allows contributors to view draft posts of other users via the /ghost/api/admin/posts endpoint and draft pages of other users via the /ghost/api/admin/pages endpoint.

    NOTE: The vendor's position is that this behavior has no security impact.

    How to fix Access Restriction Bypass?

    There is no fixed version for ghost.

    >=0.4.2-rc1
    • M
    Cross-site Scripting (XSS)

    ghost is a publishing platform

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the codeinjection_foot field, which allows users to inject JavaScript into posts.

    How to fix Cross-site Scripting (XSS)?

    There is no fixed version for ghost.

    >=0.0.0
    • M
    Cross-site Scripting (XSS)

    ghost is a publishing platform

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the codeinjection_head field, which allows users to inject JavaScript into posts.

    How to fix Cross-site Scripting (XSS)?

    There is no fixed version for ghost.

    >=0.0.0
    • M
    Cross-site Scripting (XSS)

    ghost is a publishing platform

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the facebook field, which allows users to inject JavaScript into posts.

    How to fix Cross-site Scripting (XSS)?

    There is no fixed version for ghost.

    >=0.0.0
    • M
    Cross-site Scripting (XSS)

    ghost is a publishing platform

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the twitter field, which allows users to inject JavaScript into posts.

    How to fix Cross-site Scripting (XSS)?

    There is no fixed version for ghost.

    >=0.0.0
    Go back to all versions of this package