Fluid Attacks Database

Description

Ghost's improper authentication allows access to member information and actions

Impact

Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information.

Vulnerable versions

This security vulnerability is present in Ghost v4.46.0-v5.89.5.

Ghost(Pro) customers are automatically updated to fixed versions ahead of disclosure.

If you're a self-hoster, please follow our update instructions.

Patches

v5.89.5 contains a fix for this issue.

Workarounds

Disable site membership in Ghost settings.

For more information

If you have any questions or comments about this advisory:

Email us at [email protected]

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	ghost	>=4.46.0 <5.89.5	5.89.5
npm	@tryghost/portal	>=1.22.2 <2.39.0	2.39.0

Aliases

1. CVE-2024-434092. NVD-2024-434093. OSV-2024-434094. GHSA-78x2-cwp9-5j425. GCVE-2024-43409

References

1. https://github.com/TryGhost/Ghost/security/advisories/GHSA-78x2-cwp9-5j422. https://github.com/TryGhost/Ghost/commit/dac25612520b571f58679764ecc27109e641d1db

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.