ghost@5.74.1 vulnerabilities

The professional publishing platform

Direct Vulnerabilities

Known vulnerabilities in the ghost package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Improper Access Control

ghost is a publishing platform

Affected versions of this package are vulnerable to Improper Access Control via some endpoints used for member actions. An attacker can perform member-only actions and read member information by exploiting the improper authentication mechanism.

How to fix Improper Access Control?

Upgrade ghost to version 5.89.5 or higher.

>=4.46.0 <5.89.5
  • H
Improper Neutralization of Formula Elements in a CSV File

ghost is a publishing platform

Affected versions of this package are vulnerable to Improper Neutralization of Formula Elements in a CSV File during a member CSV export. An attacker can execute arbitrary commands by injecting maliciously crafted CSV content.

How to fix Improper Neutralization of Formula Elements in a CSV File?

Upgrade ghost to version 5.82.0 or higher.

<5.82.0
  • M
Cross-site Scripting (XSS)

ghost is a publishing platform

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via an SVG profile picture upload. A contributor user can cause scripts to be executed as owner.

How to fix Cross-site Scripting (XSS)?

Upgrade ghost to version 5.83.0 or higher.

<5.83.0
  • M
Cross-site Scripting (XSS)

ghost is a publishing platform

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the excerpt.js component. An attacker can inject and execute arbitrary script code in the context of the user's browser session by crafting a malicious post excerpt.

How to fix Cross-site Scripting (XSS)?

Upgrade ghost to version 5.76.0 or higher.

<5.76.0
  • M
Access Restriction Bypass

ghost is a publishing platform

Affected versions of this package are vulnerable to Access Restriction Bypass that allows contributors to view draft posts of other users via the /ghost/api/admin/posts endpoint and draft pages of other users via the /ghost/api/admin/pages endpoint.

NOTE: The vendor's position is that this behavior has no security impact.

How to fix Access Restriction Bypass?

There is no fixed version for ghost.

>=0.4.2-rc1
  • M
Cross-site Scripting (XSS)

ghost is a publishing platform

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the codeinjection_foot field, which allows users to inject JavaScript into posts.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for ghost.

>=0.0.0
  • M
Cross-site Scripting (XSS)

ghost is a publishing platform

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the codeinjection_head field, which allows users to inject JavaScript into posts.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for ghost.

>=0.0.0
  • M
Cross-site Scripting (XSS)

ghost is a publishing platform

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the facebook field, which allows users to inject JavaScript into posts.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for ghost.

>=0.0.0
  • M
Cross-site Scripting (XSS)

ghost is a publishing platform

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the twitter field, which allows users to inject JavaScript into posts.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for ghost.

>=0.0.0