Information Exposure Affecting ghost package, versions <5.46.1
Threat Intelligence
EPSS
0.16% (54th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-GHOST-5496954
- published 4 May 2023
- disclosed 3 May 2023
- credit cpaczek
Introduced: 3 May 2023
CVE-2023-31133 Open this link in a new tabHow to fix?
Upgrade ghost
to version 5.46.1 or higher.
Overview
ghost is a publishing platform
Affected versions of this package are vulnerable to Information Exposure such that due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute force attack.
Workaround
Users who are unable to upgrade should add a block for requests to /ghost/api/content/*
where the filter
query parameter contains password
or email
.
References
CVSS Scores
version 3.1