Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Privilege escalation: all users can access Admin-level API keys
Vulnerability Description
Ghost is a Node.js content management system. An error in the implementation of the limits service between versions 4.0.0 and 4.9.4 allows all authenticated users (including contributors) to view admin-level API keys via the integrations API endpoint, leading to a privilege escalation vulnerability. This issue is patched in Ghost version 4.10.0. As a workaround, disable all non-Administrator accounts to prevent API access. It is highly recommended to regenerate all API keys after patching or applying the workaround.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
信息暴露
Vulnerability Title
Ghost CMS 信息泄露漏洞
Vulnerability Description
Ghost CMS是新加坡Ghost基金会的一套使用JavaScript编写的开源无头内容管理系统(CMS)。 Ghost 4.0.0 至 4.9.4版本存在信息泄露漏洞,该漏洞源于limits服务实现中出现错误,允许所有经过身份验证的用户(包括参与者)通过integrations API端点查看管理级API密钥,从而导致权限提升。此问题在Ghost版本4.10.0中进行了修补。如无法升级,请禁用所有非管理员帐户以阻止API访问。并强烈建议在修补或应用解决方案后重新生成所有API密钥
CVSS Information
N/A
Vulnerability Type
N/A