Ghost vulnerable to disclosure of private API fields
CVE-2023-31133

7.5HIGH

Key Information:

Vendor

Tryghost

Status
Ghost
Vendor
CVE Published:
8 May 2023

What is CVE-2023-31133?

Ghost CMS allows new-media creators to build websites and publish content. Prior to version 5.46.1, a flaw in the public API endpoints could let attackers perform brute force attacks to access private fields. Although Ghost(Pro) has been patched, self-hosters running older versions remain vulnerable. To mitigate risks, users should upgrade to v5.46.1 or block requests containing sensitive filter parameters like 'password' or 'email' in API calls.

Affected Version(s)

Ghost < 5.46.1

References

https://github.com/TryGhost/Ghost/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/TryGhost/Ghost/commit/b3caf16005289cc9...
x_refsource_MISC
https://github.com/TryGhost/Ghost/releases/tag/v5.46.1
x_refsource_MISC

EPSS Score

17% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.