Ghost's improper authentication allows access to member information and actions
CVE-2024-43409

6.5MEDIUM

Key Information:

Vendor: Tryghost
Status: Ghost
Vendor: CVE Published:; 20 August 2024

What is CVE-2024-43409?

Ghost is a Node.js content management system. Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information. This security vulnerability is present in Ghost v4.46.0-v5.89.4. v5.89.5 contains a fix for this issue.

Affected Version(s)

Ghost >= 4.46.0 < 5.89.5

References

https://github.com/TryGhost/Ghost/security/advisories/GHS...

x_refsource_CONFIRM

https://github.com/TryGhost/Ghost/commit/dac25612520b571f...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 20, 2024

Tryghost

What is CVE-2024-43409?

Affected Version(s)

References

CVSS V3.1

Timeline