Homepage
About Snyk

Improper Access Control Affecting ghost package, versions >=4.46.0 <4.48.8 >=5.0.0 <5.22.7

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.05% (16th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-GHOST-3150398
  • published 29 Nov 2022
  • disclosed 28 Nov 2022
  • credit Dave McDaniel
Report a new vulnerability Found a mistake?

Introduced: 28 Nov 2022

CVE-2022-41654 Open this link in a new tab
CWE-284 Open this link in a new tab

How to fix?

Upgrade ghost to version 4.48.8, 5.22.7 or higher.

Overview

ghost is a publishing platform

Affected versions of this package are vulnerable to Improper Access Control due to improper validation of nested objects via the Memebers API, which allows members to make changes to newsletter settings. Exploiting this vulnerability allows unprivileged users to view and change settings they were not intended to have access to.

NOTE: By exploiting this vulnerability, it is not possible to escalate privileges permanently or get access to further information.

Workarounds:

The known exploit can be prevented by disabling members until an update can be performed.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
7.1 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    High
  • Availability (A)
    None
Expand this section

NVD

4.3 medium