Base Score

MEDIUM4.3

CVE-2022-41654

An authentication bypass vulnerability exists in the newsletter subscription functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to increased privileges. An attacker can send an HTTP request to trigger this vulnerability.

VectorNETWORK

Published Bytalos-cna@cisco.com

Published DateDec 22, 2022, 10:15

Affected Versions(2)

ghost(npm)

Introduced5.0.0

Fixed5.22.7

LimitN/A

ghost(npm)

Introduced4.46.0

Fixed4.48.8

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
ghost(npm)	5.0.0	5.22.7	N/A
ghost(npm)	4.46.0	4.48.8	N/A

Weakness Type (CWE):CWE-284

CVSS Metrics

Base Score

4.3

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

LOW

Availability (A)

NONE

References

Base Score

MEDIUM4.3

Weakness Type (CWE):CWE-284

CVSS Metrics

Base Score

4.3

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

LOW

Availability (A)

NONE