ghost 6.10.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the ghost package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Server-side Request Forgery (SSRF) ghost is a publishing platform Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the media inliner component. An attacker can access internal resources by sending crafted requests through the API while authenticated as a staff user. How to fix Server-side Request Forgery (SSRF)? Upgrade `ghost` to version 5.130.6, 6.11.0 or higher.	>=5.38.0 <5.130.6>=6.0.0-alpha.1 <6.11.0
H Incorrect Authorization ghost is a publishing platform Affected versions of this package are vulnerable to Incorrect Authorization via improper handling of authentication for endpoints intended for Staff Session access. An attacker can gain unauthorized access to restricted endpoints by using Staff Tokens associated with Admin or Owner-role users. How to fix Incorrect Authorization? Upgrade `ghost` to version 5.130.6, 6.11.0 or higher.	>=5.121.0 <5.130.6>=6.0.0 <6.11.0
H Missing Critical Step in Authentication ghost is a publishing platform Affected versions of this package are vulnerable to Missing Critical Step in Authentication via the 2FA authentication. An attacker can gain unauthorized access to staff accounts by bypassing the email-based two-factor authentication step. How to fix Missing Critical Step in Authentication? Upgrade `ghost` to version 5.130.6, 6.11.0 or higher.	>=5.105.0 <5.130.6>=6.0.0 <6.11.0
H SQL Injection ghost is a publishing platform Affected versions of this package are vulnerable to SQL Injection via the `/ghost/api/admin/members/events` endpoint due to the improper validation of postId. An attacker can execute arbitrary SQL commands by sending crafted requests to this endpoint while authenticated with Admin API credentials. How to fix SQL Injection? Upgrade `ghost` to version 5.130.6, 6.11.0 or higher.	>=5.90.0 <5.130.6>=6.0.0 <6.11.0
M Access Restriction Bypass ghost is a publishing platform Affected versions of this package are vulnerable to Access Restriction Bypass that allows contributors to view draft posts of other users via the `/ghost/api/admin/posts` endpoint and draft pages of other users via the `/ghost/api/admin/pages` endpoint. NOTE: The vendor's position is that this behavior has no security impact. How to fix Access Restriction Bypass? There is no fixed version for `ghost`.	>=0.4.2-rc1
M Cross-site Scripting (XSS) ghost is a publishing platform Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the `codeinjection_foot` field, which allows users to inject JavaScript into posts. How to fix Cross-site Scripting (XSS)? There is no fixed version for `ghost`.	>=0.0.0
M Cross-site Scripting (XSS) ghost is a publishing platform Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the `codeinjection_head` field, which allows users to inject JavaScript into posts. How to fix Cross-site Scripting (XSS)? There is no fixed version for `ghost`.	>=0.0.0
M Cross-site Scripting (XSS) ghost is a publishing platform Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the `facebook` field, which allows users to inject JavaScript into posts. How to fix Cross-site Scripting (XSS)? There is no fixed version for `ghost`.	>=0.0.0
M Cross-site Scripting (XSS) ghost is a publishing platform Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the `twitter` field, which allows users to inject JavaScript into posts. How to fix Cross-site Scripting (XSS)? There is no fixed version for `ghost`.	>=0.0.0

Vulnerability

Vulnerable Version

Server-side Request Forgery (SSRF)

ghost is a publishing platform

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the media inliner component. An attacker can access internal resources by sending crafted requests through the API while authenticated as a staff user.

How to fix Server-side Request Forgery (SSRF)?

Upgrade ghost to version 5.130.6, 6.11.0 or higher.

>=5.38.0 <5.130.6>=6.0.0-alpha.1 <6.11.0

Incorrect Authorization

ghost is a publishing platform

Affected versions of this package are vulnerable to Incorrect Authorization via improper handling of authentication for endpoints intended for Staff Session access. An attacker can gain unauthorized access to restricted endpoints by using Staff Tokens associated with Admin or Owner-role users.

How to fix Incorrect Authorization?

Upgrade ghost to version 5.130.6, 6.11.0 or higher.

>=5.121.0 <5.130.6>=6.0.0 <6.11.0

Missing Critical Step in Authentication

ghost is a publishing platform

Affected versions of this package are vulnerable to Missing Critical Step in Authentication via the 2FA authentication. An attacker can gain unauthorized access to staff accounts by bypassing the email-based two-factor authentication step.

How to fix Missing Critical Step in Authentication?

Upgrade ghost to version 5.130.6, 6.11.0 or higher.

>=5.105.0 <5.130.6>=6.0.0 <6.11.0

SQL Injection

ghost is a publishing platform

Affected versions of this package are vulnerable to SQL Injection via the /ghost/api/admin/members/events endpoint due to the improper validation of postId. An attacker can execute arbitrary SQL commands by sending crafted requests to this endpoint while authenticated with Admin API credentials.

How to fix SQL Injection?

Upgrade ghost to version 5.130.6, 6.11.0 or higher.

>=5.90.0 <5.130.6>=6.0.0 <6.11.0

Access Restriction Bypass

ghost is a publishing platform

Affected versions of this package are vulnerable to Access Restriction Bypass that allows contributors to view draft posts of other users via the /ghost/api/admin/posts endpoint and draft pages of other users via the /ghost/api/admin/pages endpoint.

NOTE: The vendor's position is that this behavior has no security impact.

How to fix Access Restriction Bypass?

There is no fixed version for ghost.

>=0.4.2-rc1

Cross-site Scripting (XSS)

ghost is a publishing platform

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the codeinjection_foot field, which allows users to inject JavaScript into posts.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for ghost.

>=0.0.0

Cross-site Scripting (XSS)

ghost is a publishing platform

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the codeinjection_head field, which allows users to inject JavaScript into posts.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for ghost.

>=0.0.0

Cross-site Scripting (XSS)

ghost is a publishing platform

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the facebook field, which allows users to inject JavaScript into posts.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for ghost.

>=0.0.0

Cross-site Scripting (XSS)

ghost is a publishing platform

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the twitter field, which allows users to inject JavaScript into posts.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for ghost.

>=0.0.0

ghost@6.10.0 vulnerabilities

The professional publishing platform

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically