December 22, 2022Rabbi LakshmananWebsite security/vulnerability

Cybersecurity researchers have detailed two security flaws in JavaScript-based blogging platforms. GhostOne of them can be exploited to elevate privileges via a specially crafted HTTP request.

Tracked as CVE-2022-41654 (CVSS score: 8.5), it is an authentication bypass vulnerability that allows unauthorized users (i.e. members) to tamper with newsletter settings.

Cisco Talos discovered The downside, he said, is that members may be able to change the system-wide default newsletter that all users are subscribed to by default.

cyber security

“This allows unprivileged users to view and change settings they were not meant to access.” I got it In an advisory published on November 28, 2022, “they cannot permanently escalate their rights or access further information.”

The CMS platform blamed a “gap” in API validation, adding that it found no evidence that the issue was being exploited in the wild.

Ghost has also patched an enumeration vulnerability in the login functionality (CVE-2022-41697, CVSS score: 5.3) that could lead to the disclosure of sensitive information.

According to Talos, attackers exploited this vulnerability to enumerate all valid Ghost users by providing their email addresses, which they used to narrow down potential targets for their next stage of phishing attacks. may be

This flaw has been addressed in the Ghost (Pro) managed hosting service, but if you self-host the service and are running versions 4.46.0 through 4.48.7, or any version of v5 through 5.22.6 Users update to versions 4.48.8 and 5.22.7.

Did you find this article interesting?Please follow us twitter When LinkedIn To read more exclusive content that we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog