CVE-2024-43409
published 2024-08-20CVE-2024-43409: Ghost is a Node.js content management system. Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only…
PriorityP434medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EPSS
0.33%
24.2th percentile
Ghost is a Node.js content management system. Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information. This security vulnerability is present in Ghost v4.46.0-v5.89.4. v5.89.5 contains a fix for this issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ghost | ghost | >= 4.46.0 < 5.89.5 | 5.89.5 |
| ghost | ghost | >= 4.46.0 < 5.89.5 | 5.89.5 |
| tryghost | ghost | — | — |
| tryghost | portal | >= 1.22.2 < 2.39.0 | 2.39.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Ghost's improper authentication allows access to member information and actions
osv·2024-08-20
CVE-2024-43409 [MEDIUM] Ghost's improper authentication allows access to member information and actions
Ghost's improper authentication allows access to member information and actions
### Impact
Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information.
### Vulnerable versions
This security vulnerability is present in Ghost v4.46.0-v5.89.5.
Ghost(Pro) customers are automatically updated to fixed versions ahead of disclosure.
If you're a self-hoster, please follow our [update instructions](https://ghost.org/docs/update).
### Patches
v5.89.5 contains a fix for this issue.
### Workarounds
Disable site membership in Ghost settings.
### For more information
If you have any questions or comments about this advisory:
* Email us at [[email protected]](mailto:[email protected])
GHSA
Ghost's improper authentication allows access to member information and actions
ghsa·2024-08-20
CVE-2024-43409 [MEDIUM] CWE-284 Ghost's improper authentication allows access to member information and actions
Ghost's improper authentication allows access to member information and actions
### Impact
Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information.
### Vulnerable versions
This security vulnerability is present in Ghost v4.46.0-v5.89.5.
Ghost(Pro) customers are automatically updated to fixed versions ahead of disclosure.
If you're a self-hoster, please follow our [update instructions](https://ghost.org/docs/update).
### Patches
v5.89.5 contains a fix for this issue.
### Workarounds
Disable site membership in Ghost settings.
### For more information
If you have any questions or comments about this advisory:
* Email us at [[email protected]](mailto:[email protected])
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-08-20
Published