Remote Code Execution (RCE) Affecting ghost Open this link in a new tab package, versions <4.48.2 >=5.0.0 <5.2.3

Attack Complexity

Low
Privileges Required

High
Scope

Changed

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

SNYK-JS-GHOST-2871341
published

15 Jun 2022
disclosed

15 Jun 2022
credit

devx00

Report a new vulnerability Found a mistake?

Introduced: 15 Jun 2022

New CWE-94 Open this link in a new tab

How to fix?

Upgrade ghost to version 4.48.2, 5.2.3 or higher.

Overview

ghost is a publishing platform

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via a file that has previously been uploaded using the file upload functionality in the post editor.

References

GitHub Commit
GitHub Commit
GitHub Release
GitHub Release

Remote Code Execution (RCE) Affecting ghost Open this link in a new tab package, versions <4.48.2 >=5.0.0 <5.2.3

Attack Complexity

Privileges Required

Scope

snyk-id

published

disclosed

credit

Introduced: 15 Jun 2022

How to fix?

Overview

References