Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Ghost vulnerable to disclosure of private API fields
Vulnerability Description
Ghost is an app for new-media creators with tools to build a website, publish content, send newsletters, and offer paid subscriptions to members. Prior to version 5.46.1, due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute force attack. Ghost(Pro) has already been patched. Maintainers can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version below v5.46.1. v5.46.1 contains a fix for this issue. As a workaround, add a block for requests to `/ghost/api/content/*` where the `filter` query parameter contains `password` or `email`.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
信息暴露
Vulnerability Title
Ghost 信息泄露漏洞
Vulnerability Description
Ghost CMS是新加坡Ghost基金会的一套使用JavaScript编写的开源无头内容管理系统(CMS)。 Ghost 5.46.1 之前版本存在信息泄露漏洞,该漏洞源于在公共 API 端点上过滤时缺乏验证 , 可以通过暴力攻击来揭示私有字段。
CVSS Information
N/A
Vulnerability Type
N/A