Lucene search

K
vulnrichmentGitHub_MVULNRICHMENT:CVE-2024-43409
HistoryAug 20, 2024 - 3:05 p.m.

CVE-2024-43409 Ghost's improper authentication allows access to member information and actions

2024-08-2015:05:04
CWE-284
GitHub_M
github.com
1
ghost
node.js
content management system
improper authentication
member actions
security vulnerability
version 4.46.0
version 5.89.4
version 5.89.5

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

7

Confidence

Low

SSVC

Exploitation

none

Automatable

yes

Technical Impact

partial

Ghost is a Node.js content management system. Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information. This security vulnerability is present in Ghost v4.46.0-v5.89.4. v5.89.5 contains a fix for this issue.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:ghost:ghost:*:*:*:*:*:*:*:*"
    ],
    "vendor": "ghost",
    "product": "ghost",
    "versions": [
      {
        "status": "affected",
        "version": "4.46.0",
        "lessThan": "5.89.5",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

7

Confidence

Low

SSVC

Exploitation

none

Automatable

yes

Technical Impact

partial

Related for VULNRICHMENT:CVE-2024-43409