ghost@5.49.0 vulnerabilities

The professional publishing platform

latest version

5.82.4
first published

12 years ago
latest version published

a day ago
licenses detected
- MIT
  >=0
View ghost package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the ghost package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) ghost is a publishing platform Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via an SVG profile picture upload. A contributor user can cause scripts to be executed as owner. How to fix Cross-site Scripting (XSS)? A fix was pushed into the `master` branch but not yet published.	*
M Cross-site Scripting (XSS) ghost is a publishing platform Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `excerpt.js` component. An attacker can inject and execute arbitrary script code in the context of the user's browser session by crafting a malicious post excerpt. How to fix Cross-site Scripting (XSS)? Upgrade `ghost` to version 5.76.0 or higher.	<5.76.0
M Arbitrary File Read ghost is a publishing platform Affected versions of this package are vulnerable to Arbitrary File Read which allows authenticated users to upload files that are symlinks. This can be exploited to perform an arbitrary file read of any file on the host operating system. Note: Site administrators can check for exploitation of this issue by looking for unknown symlinks within Ghost's `content/` folder. How to fix Arbitrary File Read? Upgrade `ghost` to version 5.59.1 or higher.	<5.59.1
M Access Restriction Bypass ghost is a publishing platform Affected versions of this package are vulnerable to Access Restriction Bypass that allows contributors to view draft posts of other users via the `/ghost/api/admin/posts` endpoint and draft pages of other users via the `/ghost/api/admin/pages` endpoint. NOTE: The vendor's position is that this behavior has no security impact. How to fix Access Restriction Bypass? There is no fixed version for `ghost`.	>=0.4.2-rc1
M Cross-site Scripting (XSS) ghost is a publishing platform Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the `codeinjection_foot` field, which allows users to inject JavaScript into posts. How to fix Cross-site Scripting (XSS)? There is no fixed version for `ghost`.	>=0.0.0
M Cross-site Scripting (XSS) ghost is a publishing platform Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the `codeinjection_head` field, which allows users to inject JavaScript into posts. How to fix Cross-site Scripting (XSS)? There is no fixed version for `ghost`.	>=0.0.0
M Cross-site Scripting (XSS) ghost is a publishing platform Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the `facebook` field, which allows users to inject JavaScript into posts. How to fix Cross-site Scripting (XSS)? There is no fixed version for `ghost`.	>=0.0.0
M Cross-site Scripting (XSS) ghost is a publishing platform Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the `twitter` field, which allows users to inject JavaScript into posts. How to fix Cross-site Scripting (XSS)? There is no fixed version for `ghost`.	>=0.0.0

Go back to all versions of this package

ghost@5.49.0 vulnerabilities

The professional publishing platform

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities