CVE-2022-41654

Published: Dec 22, 2022Modified: Nov 21, 2024

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

An authentication bypass vulnerability exists in the newsletter subscription functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to increased privileges. An attacker can send an HTTP request to trigger this vulnerability.

Affected (2)

Products: Ghost: Ghost

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Ghost Ghost	From 4.46.0 to 4.48.8
Ghost Ghost	From 5.0.0 to 5.22.7

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (4)

https://github.com/TryGhost/Ghost/security/advisories/GHSA-9gh8-wp53-ccc6

Source: talos-cna@cisco.com

Third Party Advisory

https://talosintelligence.com/vulnerability_reports/TALOS-2022-1624

Source: talos-cna@cisco.com

ExploitThird Party Advisory

https://github.com/TryGhost/Ghost/security/advisories/GHSA-9gh8-wp53-ccc6

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://talosintelligence.com/vulnerability_reports/TALOS-2022-1624

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.