Base Score

MEDIUM6.5

CVE-2024-43409

Ghost is a Node.js content management system. Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information. This security vulnerability is present in Ghost v4.46.0-v5.89.4. v5.89.5 contains a fix for this issue.

VectorNETWORK

Published Bysecurity-advisories@github.com

Published DateAug 20, 2024, 15:15

Affected Versions(2)

ghost(npm)

Introduced4.46.0

Fixed5.89.5

LimitN/A

@tryghost/portal(npm)

Introduced1.22.2

Fixed2.39.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
ghost(npm)	4.46.0	5.89.5	N/A
@tryghost/portal(npm)	1.22.2	2.39.0	N/A

Weakness Type (CWE):CWE-287

CVSS Metrics

Base Score

6.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

NONE

References

Base Score

MEDIUM6.5

Weakness Type (CWE):CWE-287

CVSS Metrics

Base Score

6.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

NONE