Do your applications use this vulnerable package?
Test your applications
Overview
ghost
is Just a blogging platform.
Affected versions of the package are vulnerable to Bearer token leakage, due to storing it in the localStorage
of the browser. If used alongside a Cross-site Scripting (XSS) attack, a malicious user may hijack the user session.
Remediation
Upgrade ghost
to version 0.5.9 or higher.
References
CVSS Score
5.1
medium severity
-
Attack VectorLocal
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityLow
-
IntegrityLow
-
AvailabilityNone
- Credit
- Matteo Beccaro
- CVE
- CVE-2015-1411
- CWE
- CWE-200
- Snyk ID
- npm:ghost:20150303
- Disclosed
- 02 Mar, 2015
- Published
- 30 May, 2017