Ghost's improper authentication allows access to member information and actions

GHSA-78x2-cwp9-5j42 · BIT-ghost-2024-43409 · CVE-2024-43409

Published Aug 20, 2024 · Modified Oct 29, 2024

Description

Impact

Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information.

Vulnerable versions

This security vulnerability is present in Ghost v4.46.0-v5.89.5.

Ghost(Pro) customers are automatically updated to fixed versions ahead of disclosure.

If you're a self-hoster, please follow our update instructions.

Patches

v5.89.5 contains a fix for this issue.

Workarounds

Disable site membership in Ghost settings.

For more information

If you have any questions or comments about this advisory:

Email us at security@ghost.org

References

WEB https://github.com/TryGhost/Ghost/security/advisories/GHSA-78x2-cwp9-5j42
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-43409
WEB https://github.com/TryGhost/Ghost/commit/dac25612520b571f58679764ecc27109e641d1db
PACKAGE https://github.com/TryGhost/Ghost

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes