| 0 |
| url |
VCID-322u-tcye-huf9 |
| vulnerability_id |
VCID-322u-tcye-huf9 |
| summary |
Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2F..%2F..%2F/ directory traversal. This occurs in frontend/web/middleware/static-theme.js. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-32235, GHSA-wf7x-fh6w-34r6
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-322u-tcye-huf9 |
|
| 1 |
| url |
VCID-5999-8zjv-rqdj |
| vulnerability_id |
VCID-5999-8zjv-rqdj |
| summary |
An arbitrary file upload vulnerability in the file upload module of Ghost v4.39.0 allows attackers to execute arbitrary code via a crafted SVG file. NOTE: Vendor states that as outlined in Ghost's security documentation, upload of SVGs is only possible by trusted authenticated users. The uploading of SVG files to Ghost does not represent a remote code execution vulnerability. SVGs are not executable on the server, and may only execute javascript in a client's browser - this is expected and intentional functionality |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://youtu.be/FCqWEvir2wE |
| reference_id |
FCqWEvir2wE |
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-04-22T14:49:55Z/ |
|
|
| url |
https://youtu.be/FCqWEvir2wE |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-27139, GHSA-fvc6-qjp7-m4g4
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5999-8zjv-rqdj |
|
| 2 |
| url |
VCID-744d-rhkz-87fp |
| vulnerability_id |
VCID-744d-rhkz-87fp |
| summary |
Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile picture that contains JavaScript code to interact with the API on localhost TCP port 3001. NOTE: The discoverer reports that "The vendor does not view this as a valid vector." |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-23724, GHSA-99vc-xw8j-phjm
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-744d-rhkz-87fp |
|
| 3 |
| url |
VCID-c6w8-e895-yffy |
| vulnerability_id |
VCID-c6w8-e895-yffy |
| summary |
Ghost is an open source content management system. Versions prior to 5.59.1 are subject to a vulnerability which allows authenticated users to upload files that are symlinks. This can be exploited to perform an arbitrary file read of any file on the host operating system. Site administrators can check for exploitation of this issue by looking for unknown symlinks within Ghost's `content/` folder. Version 5.59.1 contains a fix for this issue. All users are advised to upgrade. There are no known workarounds for this vulnerability. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-40028, GHSA-9c9v-w225-v5rg
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c6w8-e895-yffy |
|
| 4 |
| url |
VCID-cv37-vmbh-hbge |
| vulnerability_id |
VCID-cv37-vmbh-hbge |
| summary |
Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-26980, GHSA-w52v-v783-gw97
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cv37-vmbh-hbge |
|
| 5 |
|
| 6 |
| url |
VCID-kv7x-8p66-tqf3 |
| vulnerability_id |
VCID-kv7x-8p66-tqf3 |
| summary |
Ghost is an app for new-media creators with tools to build a website, publish content, send newsletters, and offer paid subscriptions to members. Prior to version 5.46.1, due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute force attack.
Ghost(Pro) has already been patched. Maintainers can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version below v5.46.1. v5.46.1 contains a fix for this issue. As a workaround, add a block for requests to `/ghost/api/content/*` where the `filter` query parameter contains `password` or `email`. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-31133, GHSA-r97q-ghch-82j9
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kv7x-8p66-tqf3 |
|
| 7 |
| url |
VCID-uv9z-tvr6-7ugm |
| vulnerability_id |
VCID-uv9z-tvr6-7ugm |
| summary |
Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the server running Ghost. This issue has been patched in version 6.19.1. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-29053, GHSA-cgc2-rcrh-qr5x
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-uv9z-tvr6-7ugm |
|
| 8 |
|