Lucene search

K
cveGitHub_MCVE-2024-43409
HistoryAug 20, 2024 - 3:15 p.m.

CVE-2024-43409

2024-08-2015:15:24
CWE-287
CWE-284
GitHub_M
web.nvd.nist.gov
23
node.js
content management system
security vulnerability
ghost
member actions
authentication
information disclosure

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

17.7%

Ghost is a Node.js content management system. Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information. This security vulnerability is present in Ghost v4.46.0-v5.89.4. v5.89.5 contains a fix for this issue.

Affected configurations

Nvd
Vulners
Vulnrichment
Node
ghostghostRange4.46.05.89.5node.js
VendorProductVersionCPE
ghostghost*cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*

CNA Affected

[
  {
    "vendor": "TryGhost",
    "product": "Ghost",
    "versions": [
      {
        "version": ">= 4.46.0 < 5.89.5",
        "status": "affected"
      }
    ]
  }
]

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

17.7%