We found results for “”
WS-2021-0186
Good to know:
Date: July 20, 2021
An error in the implementation of the limits service in Ghost from version 4.0.0 allows all authenticated users (including contributors) to view admin-level API keys via the integrations API endpoint, leading to a privilege escalation vulnerability. Ghost(Pro) has already been patched. Self-hosters are impacted if running Ghost a version between 4.0.0 and 4.9.4. Immediate action should be taken to secure your site. It is highly recommended to regenerate all API keys after patching or applying the workaround below. The probem has been fixed in version 4.10.0
Language: JS
Severity Score
Severity Score
Weakness Type (CWE)
Execution with Unnecessary Privileges
CWE-250Top Fix
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | HIGH |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | HIGH |
Availability (A): | NONE |