NIST CWE-79

https://blog.sonarsource.com/ghost-admin-takeover No Types Assigned

https://blog.sonarsource.com/ghost-admin-takeover Exploit, Third Party Advisory

Ghost is a Node.js CMS. An unused endpoint added during the development of 4.0.0 has left sites vulnerable to untrusted users gaining access to Ghost Admin. Attackers can gain access by getting logged in users to click a link containing malicious code. Users do not need to enter credentials and may not know they've visited a malicious site. Ghost(Pro) has already been patched. We can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impa

Ghost is a Node.js CMS. An unused endpoint added during the development of 4.0.0 has left sites vulnerable to untrusted users gaining access to Ghost Admin. Attackers can gain access by getting logged in users to click a link containing malicious code. Users do not need to enter credentials and may not know they've visited a malicious site. Ghost(Pro) has already been patched. We can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impa

Ghost is a Node.js CMS. An unused endpoint added during the development of 4.0.0 has left sites vulnerable to untrusted users gaining access to Ghost Admin. Attackers can gain access by getting logged in users to click a link containing malicious code. Users do not need to enter credentials and may not know they've visited a malicious site. Ghost(Pro) has already been patched. We can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impa

Ghost is a Node.js CMS. An unused endpoint added during the development of 4.0.0 has left sites vulnerable to untrusted users gaining access to Ghost Admin. Attackers can gain access by getting logged in users to click a link containing malicious code. Users do not need to enter credentials and may not know they've visited a malicious site. Ghost(Pro) has already been patched. We can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impa

https://blog.sonarsource.com/ghost-admin-takeover [No Types Assigned]

https://security.netapp.com/advisory/ntap-20210618-0006/ [No Types Assigned]

https://security.netapp.com/advisory/ntap-20210618-0006/ [No Types Assigned]

OR
     *cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:* versions from (including) 4.0.0 up to (excluding) 4.3.3

NIST (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Victim must voluntarily interact with attack mechanism

NIST AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

https://forum.ghost.org/t/critical-security-update-available-for-ghost-4-x/22290 No Types Assigned

https://forum.ghost.org/t/critical-security-update-available-for-ghost-4-x/22290 Vendor Advisory

https://github.com/TryGhost/Ghost/security/advisories/GHSA-9fgx-q25h-jxrg No Types Assigned

https://github.com/TryGhost/Ghost/security/advisories/GHSA-9fgx-q25h-jxrg Mitigation, Third Party Advisory

https://www.npmjs.com/package/ghost No Types Assigned

https://www.npmjs.com/package/ghost Product, Third Party Advisory